What is Coyote banking trojan

Coyote is a multi-stage banking Trojan that leverages the Squirrel installer for distribution, a method not commonly associated with malware delivery. It is named “Coyote” due to its predatory nature, akin to coyotes being natural predators of squirrels, which is a playful nod to its use of the Squirrel installer. The malware is notable for its sophisticated infection chain, utilizing NodeJS and a relatively new multi-platform programming language called Nim as a loader to complete its infection process. The Coyote banking Trojan is a sophisticated malware targeting over 60 banking institutions, primarily in Brazil. It employs advanced evasion tactics to steal sensitive financial information from victims. This article provides an in-depth look at what Coyote is, how it infects computers, and how to remove it, with a focus on the Windows operating system, as the Trojan specifically targets Windows desktop applications for its distribution and execution.

Coyote banking trojan

How Coyote banking trojan infected your system

Coyote’s infection process is complex and involves several stages:

Distribution: Coyote uses the Squirrel installer, an open-source tool for installing and updating Windows desktop applications. This choice of installer allows Coyote to hide its initial stage loader by masquerading as a legitimate update packager.
Execution: Upon execution, Coyote runs a NodeJS application that executes obfuscated JavaScript code. This code’s end goal is to launch a genuine piece of software necessary for carrying out the further infection stage through DLL side-loading.
Loader Stage: The Trojan employs a loader written in Nim, a modern, cross-platform programming language. This loader unpacks and launches Coyote’s executable, a .NET application, completing the infection process.
Persistence and Evasion: Coyote achieves persistence by abusing Windows logon scripts and employs advanced evasion tactics, including string obfuscation with AES encryption and using SSL channels with mutual authentication for communication with its command-and-control (C2) server.
Malicious Activities: Once installed, Coyote monitors all open applications on the victim’s system, waiting for specific banking applications or websites to be accessed. It can execute a wide range of commands, including taking screenshots, logging keystrokes, displaying fake overlays, and more, to steal sensitive financial information

  1. Download Coyote banking trojan Removal Tool
  2. Use Windows Malicious Software Removal Tool to remove Coyote banking trojan
  3. Use Autoruns to remove Coyote banking trojan
  4. Files, folders and registry keys of Coyote banking trojan
  5. Other aliases of Coyote banking trojan
  6. How to protect from threats, like Coyote banking trojan

Download Removal Tool

Download Removal Tool

To remove Coyote banking trojan completely, we recommend you to use SpyHunter 5. It can help you remove files, folders, and registry keys of Coyote banking trojan and provides active protection from viruses, trojans, backdoors. The trial version of Spyhunter 5 offers virus scan and 1-time removal for FREE.

Download Alternative Removal Tool

Download Malwarebytes

To remove Coyote banking trojan completely, we recommend you to use Malwarebytes Anti-Malware. It detects and removes all files, folders, and registry keys of Coyote banking trojan and several millions of other malware, like viruses, trojans, backdoors.

Remove Coyote banking trojan manually

Manual removal of Coyote banking trojan by inexperienced users may become a difficult task because it does not create entries in Add/Remove Programs under Control Panel, does not install browser extensions, and uses random file names. However, there are pre-installed instruments in the Windows system, that allow you to detect and remove malware without using third-party applications. One of them is Windows Malicious Software Removal Tool. It comes with Windows Update in Windows 11, 10, 8. 8.1. For older operating system you can download it here: 64-bit version | 32-bit version.

Remove Coyote banking trojan using Windows Malicious Software Removal Tool

  1. Type mrt in the search box near Start Menu.
  2. Run mrt clicking on found item.
  3. Click Next button.
  4. Choose one of the scan modes Quick scan, Full scan, Customize scan (Full scan recommended).
  5. Click Next button.
  6. Click on View detailed results of the scan link to view the scan details.
  7. Click Finish button.

Remove Coyote banking trojan using Autoruns

Coyote banking trojan often sets up to run at Windows startup as an Autorun entry or Scheduled task.

  1. Download Autoruns using this link.
  2. Extract the archive and run Autoruns.exe file.
  3. In Options menu make sure there are checkboxes near Hide Empty Locations, Hide Microsoft Entries, and Hide Windows Entries.
  4. Search for suspicious entries with weird names or running from locations like: C:\{username}\AppData\Roaming.
  5. Right-click on suspicious entry and choose Delete. This will prevent the threat to run at startup.
  6. Switch to Scheduled Tasks tab and do the same.
  7. To remove files themselves, click on suspicious entries and choose Jump to Entry…. Remove files or registry keys found.

Remove files, folder and registry keys of Coyote banking trojan

Coyote banking trojan files and folders


{randomname}.exe

Coyote banking trojan registry keys


no information

Aliases of Coyote banking trojan

no information

How to protect from threats, like Coyote banking trojan, in future

bitdefender internet security

Standard Windows protection or any decent third-party antivirus (Norton, Avast, Kaspersky) should be able to detect and remove Coyote banking trojan. However, if you got infected with Coyote banking trojan with existing and updated security software, you may consider changing it. To feel safe and protect your PC from Coyote banking trojan on all levels (browser, e-mail attachments, Word or Excel scripts, file system) we recommend a leading provider of internet security solutions – BitDefender. Its solutions both for home and business users proved to be one of the most advanced and effective. Choose and get your BitDefender protection via the button below:

Download BitDefender
Previous articleHow to remove Win32/FakeVimes
Next articleHow to remove PUA:Win32/Presenoker
James Kramer
Hello, I'm James. My website Bugsfighter.com, a culmination of a decade's journey in the realms of computer troubleshooting, software testing, and development. My mission here is to offer you comprehensive, yet user-friendly guides across a spectrum of topics in this niche. Should you encounter any challenges with the software or the methodologies I endorse, please know that I am readily accessible for assistance. For any inquiries or further communication, feel free to reach out through the 'Contacts' page. Your journey towards seamless computing starts here