Doenerium Stealer

Doenerium is a malicious information stealer disguised as the Windows Malicious Software Removal Tool. It steals data from cryptocurrency wallets, browsers, and clipboard memory, as well as system information. It also allows threat actors to mine cryptocurrency on compromised computers by hijacking their hardware resources.

Once executed on the victim's device, the malware first creates an exfiltration folder which contains other folders utilized by Doenerium. The threat targets several prominent cryptowallets, including Ethereum, Armory, AtomicWallet, Electrum, Bytecoin, Coinomi, Guarda, Jaxx, and Zcash. The stolen information is then collected in a folder named 'Wallets.' Additionally, Doenerium collects Discord tokens and browser data, such as autofill details, bookmarks, cookies, and passwords.

Furthermore, the threat carries a clipper module, which allows it to scan the clipboard memory of the infected system for cryptocurrency wallet addresses. If such a match is found, Doenerium Stealer will replace the victim's saved data with the attacker's cryptowallet address. As a result, the transaction will deposit the fund into the cybercriminals' account, leaving victims with few options for recovering their money.

After collecting the targeted data, Doenerium compresses it into a .ZIP archive file and sends it to a free file-sharing or storage platform. Once the stolen information is uploaded, Doenerium removes the changes it has made to the system by deleting the ZIP file and its exfiltration folder from the victim's device.