Backdoor.Win64.URSNIF.THIBGBD

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information. However, as of this writing, the said sites are inaccessible.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\{Two Registry Key Names Found from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control}

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Execute arbitrary commands

It connects to the following websites to send and receive information:

• https://{BLOCKED}xt.top/index.html

However, as of this writing, the said sites are inaccessible.

Information Theft

This Backdoor gathers the following data:

• Checksum of username
• Cheksum of creation time of %System Root%\pagefile.sys or %System Root%\hiberfil.sys
• Checksum of malware file name
• Checksum of malware file

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

Other Details

This Backdoor does the following:

• It generates its mutex using the registry keys it gathered from from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control.