SPYW_FINSPY

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be manually installed by a user.

This is the Trend Micro detection for files that exhibit certain behaviors.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be manually installed by a user.

Installation

This spyware drops the following component file(s):

• {spyware path}\bin\finspy_master
• {spyware path}\bin\generate_machine_id
• {spyware path}\data\finspy_master.cfg_template
• {spyware path}\data\fin_passwd_template
• {spyware path}\data\version
• {spyware path}\data\scripts\MasterInstaller\payload\fin_update_installer_script
• {spyware path}\data\scripts\MasterInstaller\tools\fin_decompress_script
• {spyware path}\data\Scheduler\Scheduler_List.txt
• {spyware path}\data\TargetModules\buildx.exe
• {spyware path}\data\TargetModules\bundledoc.exe
• {spyware path}\data\TargetModules\bundler.exe

It creates the following folders:

• {spyware path}\data\MasterModules
• {spyware path}\data\TargetModules
• {spyware path}\data\Scheduler
• {spyware path}\data\scripts
• {spyware path}\data\license
• {spyware path}\data\certs

Information Theft

This spyware gathers the following data:

• computer name
• user
• country
• city
• IP address
• OS Version

Other Details

This is the Trend Micro detection for:

• FinSpy (Spyware Software)

NOTES:

The builder requires the following parameters:

This spyware may contain the following proxy configuration (URLs, IP addresses, and ports):

It connects to the following non-malicious URL to download updates:

• update.gamma-international.de:6666

It may display the following interface: