sha1:
- b82468b4e87c4900a04e8a5d88781bfe8f97fe08
Description
Malicious executable for OS Windows, written in Python, compiled with PyInstaller and obfuscated with BlankOBF v.2. It is dropped by Python.Muldrop.39 (fd7eee537605618826ed7dd236948964faa2252f) and saved in C:\ProgramData\Microsoft\smss.exe.
Operating routine
-
Creates a mutex Global\\prinesuplitku
-
Registers as a startup item by adding an entry chromeupdate that contains the path to the smss.exe file to the following registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run
-
Checks network access to https://api.telegram.org/. If the host can be reached, continues execution
-
Saves values of TOKEN и USER_ID to HKCU\Software\SOFTWARE\WindowsHohol. The TOKEN value is encrypted using AES CBC, the key is the SHA256 value of the kozlinets string
-
Sends a screenshot to threat actors
-
Automatically runs the following commands: /ip, /sysinfo, /telegram, /wallets, /discord, /browsers
-
Searches the clipboard for seed phrases. Sends them to threat actors, if the phrases are found.
Trojan commands:
| /sc | Take a screenshot |
| /ip | Send the IP address |
| /cam | Take a webcam picture |
| /rec *duration* | Take a recording with the microphone for the specified duration |
| /video *duration* | Take a video recording with the webcam for the specified duration |
| /lock *text* | Lock the screen and display a message |
| /unlock | Unlock the screen |
| /tell *text* | Display a message |
| /sysinfo | Send system information |
| /ls *path* | Show the contents of the current directory |
| /pwd | Show the name of the current directory |
| /cd *path* | Change the current directory |
| /mkdir *path* | Create a new directory |
| /rm *path* | Remove a file or a directory |
| /mv *source path* *destination path* | Move a file or a directory from the source directory to the destination directory |
| /size *path* | Display the size of the specified file or directory |
| /download *path* | Download a file or a directory |
| /open *path* | Open the specified file |
| /copy *source path* *destination path* | Copy a file or a directory from the source directory to the destination directory |
| /processlist | List all running processes |
| /processkill *process* | Terminate a process with a given name |
| /processpath | Get a path to the executable file that spawned a process with a given name |
| /link *website* | Open the specified website and take a screenshot |
| /alert *text* | Display an alert with the specified text |
| /soft | List all installed programs |
| /shutdown | Turn off the computer |
| /restart | Reboot the computer |
| /browsers | Collect all data about installed browsers |
| /browsersforced | Collect all data about installed browsers, terminating their processes |
| /telegram | Download all files from the tdata directory of Telegram Desktop |
| /steam | Download all session files from Steam |
| /telegramforced | Check availability of the tdata folders on all disks |
| /discord | Collect Discord tokens |
| /wallets | Collect crypto wallet data from browser extensions and desktop applications |
| /seedfind | Search for potential seed phrases on all file systems |
| /transfer *token$chat_id* | Transfer control to another bot with the specified token and identifier |
| /terminate | Terminate the current connection |
