TrojanSpy.Win64.RHADAMANTHYS.B

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Zum Zeitpunkt der Fertigstellung dieses Dokuments sind die erwähnten Sites jedoch nicht zugänglich.

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Schleust die folgenden Dateien ein:

• %AppDataLocal%\Microsoft\{Random}.exe

Fügt die folgenden Prozesse hinzu:

• "%Windows%\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

(Hinweis: %Windows% ist der Windows Ordner, normalerweise C:\Windows oder C:\WINNT.)

Fügt die folgenden Mutexe hinzu, damit nur jeweils eine ihrer Kopien ausgeführt wird:

• MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}

Beendet sich selbst, wenn die folgenden Prozesse im Speicher des betroffenen Systems gefunden werden:

• procexp.exe
• procexp64.exe
• tcpview.exe
• tcpview64.exe
• Procmon.exe
• Procmon64.exe
• vmmap.exe
• vmmap64.exe
• portmon.exe
• processlasso.exe
• Wireshark.exe
• Fiddler Everywhere.exe
• Fiddler.exe
• ida.exe
• ImmunityDebugger.exe
• WinDump.exe
• x64dbg.exe
• x32dbg.exe
• OllyDbg.exe
• ProcessHacker.exe
• idaq64.exe
• autoruns.exe
• dumpcap.exe
• de4dot.exe
• hookexplorer.exe
• ilspy.exe
• lordpe.exe
• dnspy.exe.
• petools.exe
• autorunsc.exe
• resourcehacker.exe
• filemon.exe
• regmon.exe
• windanr.exe
• ida64.exe

Andere Systemänderungen

Fügt die folgenden Registrierungseinträge hinzu:

HKEY_CURRENT_USER\Software\SibCode
sn = 1696220900

Download-Routine

Zum Zeitpunkt der Fertigstellung dieses Dokuments sind die erwähnten Sites jedoch nicht zugänglich.

Datendiebstahl

Folgende Daten werden gesammelt:

• Default Language
• Locale
• Gathers information from:
  • Browsers:
    • Coc CoC
    • Pale Moon
    • Sleipnir5
    • Opera
    • Chrome
    • Twinkstar
    • Firefox
    • Edge
    • K-Meleon
  • FTP Clients:
    • FileZilla
    • CoreFTP
    • WinSCP
  • VPN:
    • OpenVPN
  • Messaging Applications:
    • Telegram
  • Email Applications:
    • Thunderbird
    • Foxmail
    • Outlook
    • The BAT
  • Password Manager:
    • KeePass
  • Others:
    • Discord
    • Steam
    • Stickynotes
    • Simple Sticky Notes
  • Wallets:
    • Ronin
    • MetaMask
    • Vigvam
    • OKEx Wallet
    • Keplr
    • Avana Wallet
    • Ethereum
    • Electrum
    • Dogecoin
    • Litecoin
    • Monero
    • Qtum
    • Armory
    • Bytecoin
    • Binance
    • Electron
    • Solar Wallet
    • Zap
    • WalletWasabi
    • Zcash
• Browser Extensions:
  • Autofill data
  • Browser data (login information, cookies) relating to the following wallets:
    • MyTonWallet
    • Exodus Wallet
    • Trust Wallet
    • ZilPay Wallet
    • MetaMask
    • Bitcoin
    • Flint Wallet
    • X-Wallet
    • Stargazer Wallet
    • Theta Wallet
    • BitKeep
    • PaliWallet
    • TON Wallet
    • KardiaChain Wallet
    • Fractal Wallet
    • ArConnect
    • Swash
    • Nash
    • XDEFI Wallet
    • BitClip
    • DAppPlay
    • LeafWallet
    • OneKey
    • Byone
    • Cyano Wallet
    • TexBox - Tezos Wallet
    • Temple - Tezos Wallet
    • KHC
    • Nabox Wallet
    • ICONex
    • Polymesh Wallet
    • Auro Wallet
    • Keplr
    • Clover Wallet
    • NeoLine
    • Saturn Wallet
    • MEW CX
    • iWallet
    • Oasis Wallet
    • Goby
    • StarMask
    • Eternl
    • Wombat
    • Hycon Lite Client
    • Crypto.com
    • Keeper Wallet
    • Terra Station Wallet
    • SteemKeychain
    • Jaxx Liberty
    • ZilPay
    • Yoroi Wallet
    • Ronin Wallet
    • Rabet
    • Auvitas Wallet
    • Liquality Wallet
    • Nifty Wallet
    • Oxygen - Atomic Crypto Wallet
    • Crocobit Wallet
    • Finnie
    • Slope Wallet
    • XDCPay
    • Solflare Wallet
    • Sollet
    • GuildWallet
    • Guarda
    • BitApp Wallet
    • Math Wallet
    • OKEx Wallet
    • EQUAL Wallet
    • MOBOX WALLET
    • Phantom
    • Coinbase Wallet
    • TronLink
    • MetaMask
    • Binance Wallet
    • Coin98 Wallet
  • Saved credit cards
  • Login information
  • Browser cookies
  • Browsing history
  • Bookmarks
  • Download history

Andere Details

Fügt die folgenden Registrierungsschlüssel hinzu:

HKEY_CURRENT_USER\Software\SibCode

Es macht Folgendes:

• It disables the display of error message box.
• It checks for suspicious code hooks in the system.
• It manipulates exception handling.
• It checks if the following mutexes are present:
  • Global\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}
  • Session\1\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}
  • Session\2\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}
  • Session\3\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}
  • Session\4\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}
  • Session\5\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}
  • Session\6\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}
  • Session\7\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}
  • Session\8\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}
• It terminates itself if any of the following are satisfied:
  • If the file name of the executed binary matches any the following:
    • sample.exe
    • bot.exe
    • sandbox.exe
    • malware.exe
    • text.exe
    • klavme.exe
    • myapp.exe
    • testapp.exe
  • If the length of the file name is equal to the following:
    • 32 → length of MD5 hash
    • 40 → length of SHA1 hash
    • 64 → length of SHA256 hash
  • If the host name matches any of the following:
    • SANDBOX
    • 7SILVIA
    • HANSPETER-PC
    • JOHN-PC
    • MUELLER-PC
    • WIN7-TRAPS
    • FORTINET
    • TEQUILABOOMBOOM
  • If the user name matches any of the following:
    • CurrentUser
    • Sandbox
    • Emily
    • HAPUBWS
    • Hong Lee
    • IT-ADMIN
    • Johnson
    • Miller
    • milozs
    • Peter Wilson
    • timmy
    • user
    • sand box
    • malware
    • maltest
    • test user
    • virus
    • John Doe
  • If the user name is Wilber and computer name starts with SC or SW.
  • If the user name is admin and the computer name is SystemIT.
  • If the user name is admin and the computer name is KLONE_X64-PC.
  • If the user name is John and the following files are present:
    • C:\take_screenshot.exe
    • C:\loaddll.exe
  • If all of the following files are present:
    • C:\email.doc
    • C:\email.htm
    • C:\123\email.doc
    • C:\123\email.docx
  • If all of the following files are present:
    • C:\a\foobar.bmp
    • C:\a\foobar.doc
    • C:\a\foobar.gif
  • If the vendor ID matches any of the following:
    • KVMKVMKVM
    • Microsoft Hv
    • VMwareVMware
    • XenVMMXenVMM
    • prl hyperv
    • Parallels Hv
    • VBoxVBoxVBox
  • If known sandbox IDs are present in the following registry keys:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControLSet\Enum\IDE
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControLSet\Enum\SCSI
    where the sandbox IDs could be any of the following:
    • qemu
    • virtio
    • vmware
    • vbox
    • xen
    • VMW
    • Virtual
  • If it finds the following virtual devices in the affected system:
    • \.\VBoxMiniRdrDN
    • \.\VBoxGuest
    • \.\VBoxTrayIPC
    • \.\pipe\VBoxMiniRdDN
    • \.\pipe\VBoxTrayIPC
  • If the following strings are found on windows or classes:
    • VBoxTrayToolWndClass
    • VBoxTrayToolWnd
  • If the following strings are found on the system information:
    • VirtualBox
    • vbox
    • VBOX
    • VMware
    • VMWARE
    • QEMU
    • qemu
    • BOCHS
    • BXPC
  • If it finds the following virtual machine/sandbox network shares in the affected system:
    • VirtualBox Shared Folders
  • If it finds the following virtual machine/sandbox file artifacts in the affected system:
    • %System%\drivers\VBoxMouse.sys
    • %System%\drivers\VBoxGuest.sys
    • %System%\drivers\VBoxSF.sys
    • %System%\drivers\VBoxVideo.sys
    • %System%\vboxdisp.dll
    • %System%\vboxhook.dll
    • %System%\vboxmrxnp.dll
    • %System%\vboxogl.dll
    • %System%\vboxoglarrayspu.dll
    • %System%\vboxoglcrutil.dll
    • %System%\vboxoglerrorspu.dll
    • %System%\vboxoglfeedbackspu.dll
    • %System%\vboxoglpackspu.dll
    • %System%\vboxoglpassthroughspu.dll
    • %System%\vboxservice.exe
    • %System%\vboxtray.exe
    • %System%\VBoxControl.exe
    • %System%\drivers\balloon.sys
    • %System%\drivers\netkvm.sys
    • %System%\drivers\pvpanic.sys
    • %System%\drivers\viofs.sys
    • %System%\drivers\viogpudo.sys
    • %System%\drivers\vioinput.sys
    • %System%\drivers\viorng.sys
    • %System%\drivers\vioscsi.sys
    • %System%\drivers\vioser.sys
    • %System%\drivers\viostor.sys
  • if it finds the following virtual machine/sandbox directory artifacts in the affected system:
    • %Program Files%\Virtio-Win\
    • %Program Files%\qemu-ga
    • %Program Files%\SPICE Guest Tools
  • if it finds the following virtual machine/sandbox processes in the affected system's memory:
    • vboxservice.exe
    • vboxtray.exe
    • vmtoolsd.exe
    • vmwaretray.exe
    • vmwareuser.exe
    • VGAuthService.exe
    • vmacthlp.exe
    • qemu-ga.exe
    • vdagent.exe
    • vdservice.exe
  • If the following strings are found in the Win32_ComputerSystem manufacturer:
    • VMware
    • Xen
    • innotek GmbH
    • QEMU
  • If the following strings are found in the Win32_ComputerSystem model:
    • VirtualBox
    • HVM domU
    • VMware
  • If the following strings are found in the Win32_BIOS serial number:
    • VMWare
    • Parallels
    • XenVirtual
    • A M I
  • If the following strings are found in the Disk Device Driver hardware ID:
    • vbox
    • vmware
    • qemu
    • virtual
  • If the following strings are found in the Win32_PnPEntity device ID:
    • PCI\VEN_80EE&DEV_CAFE
  • If the following strings are found in the Win32_PnPEntity name:
    • 82801FB
    • 82441FX
    • 82371SB
    • OpenHCD
  • If the following strings are found in the Win32_PnPDevice Name and Caption:
    • VBOX
  • If the following strings are found in the Win32_PnPDevice PNPDeviceID:
    • VEN_VBOX
  • If the following strings are found in the Win32_Bus name:
    • ACPIBus_BUS_0
    • PCI_BUS_0
    • PNP_BUS_0
  • If the following strings are found in the Win32_BaseBoard product:
    • VirtualBox
  • If the following strings are found in the Win32_BaseBoard manufacturer:
    • Oracle Corporation
  • If the following strings are found in the Win32_NTEventlogFile FileName and Sources:
    • vboxvideo
    • VBoxVideoW8
    • VBoxWddm
• It checks if process is running in a 64 bit environment:
  • If yes,
    • It searches and manipulates the following module:
      • aswhook.dll
    • If not found:
      • It searches and manipulates files with the following strings in their file name:
        • 360SelfProtection
        • BdDci
        • rtp_process_monitor
        • klkbdflt

(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).. %Program Files%ist der Standardordner 'Programme', normalerweise C:\Programme.)