Technical Information
Malicious functions
Reads files which store third party applications passwords
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %HOMEPATH%\desktop\dialmap.bmp
- %APPDATA%\opera software\opera stable\login data
Searches for windows to
detect analytical utilities:
- ClassName: 'RegmonClass', WindowName: ''
- ClassName: 'FilemonClass', WindowName: ''
- ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
Modifies file system
Creates the following files
- %TEMP%\stealerium-latest.log
- %TEMP%\tmp2d56.tmp.dat
- %TEMP%\tmp2d95.tmp.dat
- %TEMP%\tmp2da6.tmp.dat
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\directories\desktop.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\directories\documents.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\directories\pictures.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\directories\videos.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\grabber\drive-f\dialmap.bmp
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\directories\startup.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\grabber\drive-f\browse.html
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\directories\downloads.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\grabber\drive-f\about.html
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\system\info.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\grabber\drive-f\ituneshelpunavailable.html
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\system\productkey.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\grabber\drive-f\block.png
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\grabber\drive-f\breakpoint.png
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\grabber\drive-f\bg_search_box.png
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\grabber\drive-f\arrow-down.png
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\system\debug.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\directories\temp.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\directories\drive-f.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\system\process.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\system\desktop.jpg
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\browsers\opera\bookmarks.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\grabber\drive-f\tree_view.html
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\browsers\opera\history.txt
- %TEMP%\tmp2986.tmp.dat
- %TEMP%\tmp254b.tmp.dat
- %TEMP%\tmp26b3.tmp.dat
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\messenger\telegram\d877f783d5d3ef8c\map0
- %TEMP%\tmp2722.tmp.dat
- %TEMP%\tmp26e3.tmp.dat
- %TEMP%\tmp2781.tmp.dat
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\messenger\telegram\settings0
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\messenger\telegram\usertag
- %TEMP%\tmp27d0.tmp.dat
- %TEMP%\tmp2928.tmp.dat
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\browsers\firefox\bookmarks.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\browsers\firefox\cookies.txt
- %TEMP%\tmp2c4b.tmp.dat
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\gaming\steam\configs\config.vdf
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\gaming\steam\configs\dialogconfig.vdf
- %TEMP%\tmp2a52.tmp.dat
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\browsers\google\cookies.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\grabber\drive-c\users\user\desktop\dialmap.bmp
- %TEMP%\tmp2ae0.tmp.dat
- %TEMP%\tmp2b00.tmp.dat
- %TEMP%\tmp2b30.tmp.dat
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\browsers\firefox\history.txt
- %TEMP%\tmp2c0b.tmp.dat
- %TEMP%\tmp2c4a.tmp.dat
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\browsers\opera\cookies.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\system\windows.txt
Deletes the following files
- %TEMP%\tmp26b3.tmp.dat
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\directories\startup.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\directories\temp.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\directories\videos.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\gaming\steam\configs\config.vdf
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\gaming\steam\configs\dialogconfig.vdf
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\grabber\drive-c\users\user\desktop\dialmap.bmp
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\grabber\drive-f\about.html
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\grabber\drive-f\arrow-down.png
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\grabber\drive-f\bg_search_box.png
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\grabber\drive-f\block.png
- %TEMP%\tmp2c4a.tmp.dat
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\grabber\drive-f\breakpoint.png
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\grabber\drive-f\dialmap.bmp
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\grabber\drive-f\ituneshelpunavailable.html
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\grabber\drive-f\tree_view.html
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\messenger\telegram\d877f783d5d3ef8c\map0
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\messenger\telegram\settings0
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\messenger\telegram\usertag
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\system\debug.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\system\desktop.jpg
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\system\info.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\system\process.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\directories\drive-f.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\directories\pictures.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\directories\downloads.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\directories\documents.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\directories\desktop.txt
- %TEMP%\tmp26e3.tmp.dat
- %TEMP%\tmp2781.tmp.dat
- %TEMP%\tmp2722.tmp.dat
- %TEMP%\tmp27d0.tmp.dat
- %TEMP%\tmp2928.tmp.dat
- %TEMP%\tmp2986.tmp.dat
- %TEMP%\tmp2a52.tmp.dat
- %TEMP%\tmp2ae0.tmp.dat
- %TEMP%\tmp2b00.tmp.dat
- %TEMP%\tmp2b30.tmp.dat
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\system\productkey.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\grabber\drive-f\browse.html
- %TEMP%\tmp2c0b.tmp.dat
- %TEMP%\tmp2d56.tmp.dat
- %TEMP%\tmp2d95.tmp.dat
- %TEMP%\tmp2da6.tmp.dat
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\browsers\firefox\bookmarks.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\browsers\firefox\cookies.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\browsers\firefox\history.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\browsers\google\cookies.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\browsers\opera\bookmarks.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\browsers\opera\cookies.txt
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\browsers\opera\history.txt
- %TEMP%\tmp254b.tmp.dat
- %TEMP%\tmp2c4b.tmp.dat
- %LOCALAPPDATA%\084faf443301f19306014627762bcd0d\user@fpqioanxvtv_en-us\system\windows.txt
Network activity
Connects to
- 'ip##pi.com':80
- 'di###rdapp.com':443
- 'ic###azip.com':80
- 'oc##.thawte.com':80
TCP
HTTP GET requests
- http://ip##pi.com/line/?fi############
- http://ic###azip.com/
Other
- 'di###rdapp.com':443
UDP
- DNS ASK ip##pi.com
- DNS ASK di###rdapp.com
- DNS ASK ic###azip.com
- DNS ASK microsoft.com
- DNS ASK oc##.thawte.com
Miscellaneous
Searches for the following windows
- ClassName: 'Registry Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: '18467-41' WindowName: ''
- ClassName: 'File Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: 'Process Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /C chcp 65001 && netsh wlan show profile | findstr All
- '%WINDIR%\syswow64\chcp.com' 65001
- '%WINDIR%\syswow64\netsh.exe' wlan show profile
- '%WINDIR%\syswow64\findstr.exe' All
- '%WINDIR%\syswow64\cmd.exe' /C chcp 65001 && netsh wlan show networks mode=bssid
- '%WINDIR%\syswow64\netsh.exe' wlan show networks mode=bssid
