TrojanSpy.Win32.LOKI.TIOIBOAS

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy adds the following folders:

• %Application Data%\{substring from hash of machine GUID}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following copies of itself into the affected system:

• %Application Data% \{substring from hash of machine GUID}\{substring from hash of machine GUID}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following files:

• %Application Data%\{substring from hash of machine GUID}\{substring from hash of machine GUID}.lck - used for resource locking
• %Application Data%\{substring from hash of machine GUID}\{substring from hash of machine GUID}.hdb - hash database of stolen information

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• {Hash of machine GUID}

Information Theft

This Trojan Spy gathers the following data:

• User name
• Computer name
• Machine GUID

It attempts to steal stored account information used in the following installed File Transfer Protocol (FTP) clients or file manager software:

• 32bitFtp
• AbleFTP
• ALFTP
• Automize
• BitKinex
• Bitvise
• BlazeFTP
• ClassicFTP
• CyberDuck
• DeluxeFTP
• EasyFTP
• ExpanDrive
• Far manager
• Fastream NETFile
• FileZilla
• FlashFXP
• Fling FTP
• FreshFTP
• FTP Navigator
• FTP Now
• FTP Now
• FTPBox
• FTPGetter
• FTPInfo
• FullSync
• GoFTP
• JaSFtp
• KiTTY
• LinasFTP
• MyFTP
• NetDrive
• NetDrive2
• NexusFile
• Notepad++ NppFTP
• NovaFTP
• Odin Secure FTP Expert
• PuTTY
• SecureFX
• SftpNetDrive
• Sherrod FTP
• SmartFTP
• Staff-FTP
• SuperPuTTY
• Syncovery
• Total Commander
• UltraFXP
• WinFtp Client
• WinSCP
• WS_FTP
• Xftp

It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:

• 360Browser
• Baidu Spark
• Blackhawk
• Catalina Group Citrio
• Chromium
• CocCoc
• Comodo Chromodo
• Comodo Dragon
• Comodo IceDragon
• Coowon
• Cyberfox
• Epic Privacy Browser
• Flock
• Google Chrome
• Internet Explorer
• Iridium
• K-Meleon
• Lunascape
• Maple Studio ChromePlus
• Mozilla Firefox
• Mozilla Seamonkey
• Mustang Browser
• Nichrome
• Opera Next
• Opera Stable
• Orbitum
• Pale Moon
• QtWeb
• QupZilla
• Rockmelt
• Safari
• SuperBird
• Titan Browser
• Torch
• Vivaldi
• Waterfox
• Yandex Browser

It attempts to steal stored email credentials from the following:

• FossaMail
• Foxmail
• IncrediMail
• Microsoft Outlook
• Mozilla Thunderbird
• PostBox

Stolen Information

This Trojan Spy sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}a.ga/ebu/fre.php