Trojan.Win64.VICERCON.H

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• %System%\{filename} ← malware copy with different hash
• %Windows%\SysWow64\{filename} ← malware copy with different hash

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It creates the following folders:

• %Windows%\Fonts\
• %Windows%\Fonts\clientdb\
• %Windows%\Fonts\clientdb\ds\
• %Windows%\Fonts\clientdb\gt\
• %Windows%\Fonts\clientdb\MSBuild\
• %System%\wostmp\
• %Windows%\SysWow64\wostmp\

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Other System Modifications

This Trojan adds the following registry entries:

HKEY_CLASSES_ROOT\SHTinfo
sha1 = {malware defined values}

HKEY_CLASSES_ROOT\SHTinfo
notice = {malware defined values}

HKEY_CLASSES_ROOT\SHTinfo
tunnel = {malware defined values}

HKEY_CLASSES_ROOT\SHTinfo
peer = {malware defined values}

HKEY_CLASSES_ROOT\SHTinfo
staticpeer = {malware defined values}

HKEY_CLASSES_ROOT\SHTinfo
intranet = {hexadecimal values}

HKEY_CLASSES_ROOT\SHTinfo
comment = {hexadecimal values}

HKEY_CLASSES_ROOT\SHTinfo
forward = {hexadecimal values}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
sha1 = {malware defined values}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
notice = {malware defined values}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
tunnel = {malware defined values}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
peer = {malware defined values}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
staticpeer = {malware defined values}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
intranet = {hexadecimal values}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
comment = {hexadecimal values}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
forward = {hexadecimal values}

Information Theft

This Trojan gathers the following data:

• Computer Name
• CPU information
• Username
• IP Address

Other Details

This Trojan does the following:

• It moves its own file to:
  • %System%\wostmp\{malware defined values}
  • %Windows%\SysWow64\wostmp\{malware defined values}
• It uses the following uncommon ports:
  • 27930
• It searches and gathers data from the following files:
  • C:\1f.txt
  • C:\1i.txt
  • C:\1p.txt
  • D:\1f.txt
  • D:\1i.txt
  • D:\1p.txt
  • E:\1f.txt
  • E:\1i.txt
  • E:\1p.txt
  • %Windows%\1f.txt
  • %Windows%\1i.txt
  • %Windows%\1p.txt
• It checks the content of its added registries entries.
• It sends UDP packets to any of the following IP addresses within the network range:
  • {BLOCKED}.{BLOCKED}.248.1 up to {BLOCKED}.{BLOCKED}.248.255
  • {BLOCKED}.{BLOCKED}.39.1 up to {BLOCKED}.{BLOCKED}.39.255
  • {BLOCKED}.{BLOCKED}.246.1 up to {BLOCKED}.{BLOCKED}.246.255
  • {BLOCKED}.{BLOCKED}.4.1 up to (BLOCKED}.{BLOCKED}.4.255
  • {BLOCKED}.{BLOCKED}.37.1 up to {BLOCKED}.{BLOCKED}.37.255
  • {BLOCKED}.{BLOCKED}.202.1 up to {BLOCKED}.{BLOCKED}.202.255
  • {BLOCKED}.{BLOCKED}.93.1 up to {BLOCKED}.{BLOCKED}.93.255
  • {BLOCKED}.{BLOCKED}.186.1 up to {BLOCKED}.{BLOCKED}.{BLOCKED}.255
  • {BLOCKED}.{BLOCKED}.81.1 up to {BLOCKED}.{BLOCKED}.81.255
  • {BLOCKED}.{BLOCKED}.21.1 up to {BLOCKED}.{BLOCKED}.21.255
  • {BLOCKED}.{BLOCKED}.39.1 up to {BLOCKED}.{BLOCKED}.39.255
  • {BLOCKED}.{BLOCKED}.73.1 up to {BLOCKED}.{BLOCKED}.73.255
  • {BLOCKED}.{BLOCKED}.109.1 up to {BLOCKED}.{BLOCKED}.109.255
  • {BLOCKED}.{BLOCKED}.30.1 up to {BLOCKED}.{BLOCKED}.30.255
  • {BLOCKED}.{BLOCKED}.201.1 up to {BLOCKED}.{BLOCKED}.201.255
  • {BLOCKED}.{BLOCKED}.6.1 up to {BLOCKED}.{BLOCKED}.6.255
  • {BLOCKED}.{BLOCKED}.27.1 up to {BLOCKED}.{BLOCKED}.27.255
  • {BLOCKED}.{BLOCKED}.198.1 up to {BLOCKED}.{BLOCKED}.198.255
  • {BLOCKED}.{BLOCKED}.137.1 up to {BLOCKED}.{BLOCKED}.137.255
  • {BLOCKED}.{BLOCKED}.139.1 up to {BLOCKED}.{BLOCKED}.139.255
  • {BLOCKED}.{BLOCKED}.184.1 up to {BLOCKED}.{BLOCKED}.184.255
  • {BLOCKED}.{BLOCKED}.203.1 up to {BLOCKED}.{BLOCKED}.203.255
  • {BLOCKED}.{BLOCKED}.17.1 up to {BLOCKED}.{BLOCKED}.17.255
  • {BLOCKED}.{BLOCKED}.128.1 up to {BLOCKED}.{BLOCKED}.128.255
  • {BLOCKED}.{BLOCKED}.100.1 up to {BLOCKED}.{BLOCKED}.100.255
  • {BLOCKED}.{BLOCKED}.231.1 up to {BLOCKED}.{BLOCKED}.231.255
  • {BLOCKED}.{BLOCKED}.51.1 up to {BLOCKED}.{BLOCKED}.51.255
  • {BLOCKED}.{BLOCKED}.15.1 up to {BLOCKED}.{BLOCKED}.15.255
  • {BLOCKED}.{BLOCKED}.166.1 up to {BLOCKED}.{BLOCKED}.166.255
  • {BLOCKED}.{BLOCKED}.1.1 up to {BLOCKED}.{BLOCKED}.1.255
  • {BLOCKED}.{BLOCKED}.145.1 up to {BLOCKED}.{BLOCKED}.145.255
  • {BLOCKED}.{BLOCKED}.33.1 up to {BLOCKED}.{BLOCKED}.33.255
  • {BLOCKED}.{BLOCKED}.83.1 up to {BLOCKED}.{BLOCKED}.83.255
  • {BLOCKED}.{BLOCKED}.123.1 up to {BLOCKED}.{BLOCKED}.123.255
  • {BLOCKED}.{BLOCKED}.58.1 up to {BLOCKED}.{BLOCKED}.58.255
  • {BLOCKED}.{BLOCKED}.6.1 up to {BLOCKED}.{BLOCKED}.6.255
  • {BLOCKED}.{BLOCKED}.213.1 up to {BLOCKED}.{BLOCKED}.213.255
  • {BLOCKED}.{BLOCKED}.33.1 up to {BLOCKED}.{BLOCKED}.33.255
  • {BLOCKED}.{BLOCKED}.168.1 up to {BLOCKED}.{BLOCKED}.168.255
  • {BLOCKED}.{BLOCKED}.189.1 up to {BLOCKED}.{BLOCKED}.189.255
  • {BLOCKED}.{BLOCKED}.189.1 up to {BLOCKED}.{BLOCKED}.189.255
  • {BLOCKED}.{BLOCKED}.125.1 up to {BLOCKED}.{BLOCKED}.125.255
  • {BLOCKED}.{BLOCKED}.121.1 up to {BLOCKED}.{BLOCKED}.121.255
  • {BLOCKED}.{BLOCKED}.131.1 up to {BLOCKED}.{BLOCKED}.131.255
  • {BLOCKED}.{BLOCKED}.194.1 up to {BLOCKED}.{BLOCKED}.194.255
  • {BLOCKED}.{BLOCKED}.93.1 up to {BLOCKED}.{BLOCKED}.93.255
  • {BLOCKED}.{BLOCKED}.112.1 up to {BLOCKED}.{BLOCKED}.112.255
  • {BLOCKED}.{BLOCKED}.218.1 up to {BLOCKED}.{BLOCKED}.218.255
  • {BLOCKED}.{BLOCKED}.152.1 up to {BLOCKED}.{BLOCKED}.152.255
  • {BLOCKED}.{BLOCKED}.128.1 up to {BLOCKED}.{BLOCKED}.128.255
  • {BLOCKED}.{BLOCKED}.235.1 up to {BLOCKED}.{BLOCKED}.235.255
  • {BLOCKED}.{BLOCKED}.12.1 up to {BLOCKED}.{BLOCKED}.12.255
  • {BLOCKED}.{BLOCKED}.0.1 up to {BLOCKED}.{BLOCKED}.0.255
  • {BLOCKED}.{BLOCKED}.31.1 up to {BLOCKED}.{BLOCKED}.31.255
  • {BLOCKED}.{BLOCKED}.56.1 up to {BLOCKED}.{BLOCKED}.56.255
  • {BLOCKED}.{BLOCKED}.127.1 up to {BLOCKED}.{BLOCKED}.127.255
  • {BLOCKED}.{BLOCKED}.34.1 up to {BLOCKED}.{BLOCKED}.34.255
  • {BLOCKED}.{BLOCKED}.16.1 up to {BLOCKED}.{BLOCKED}.16.255
  • {BLOCKED}.{BLOCKED}.168.1 up to {BLOCKED}.{BLOCKED}.168.255
  • {BLOCKED}.{BLOCKED}.80.0 up to {BLOCKED}.{BLOCKED}.97.255
  • {BLOCKED}.{BLOCKED}.5.0 up to {BLOCKED}.{BLOCKED}.15.255
  • {BLOCKED}.{BLOCKED}.190.0 up to {BLOCKED}.{BLOCKED}.255.255
  • {BLOCKED}.{BLOCKED}.25.0 up to {BLOCKED}.{BLOCKED}.50.255
  • {BLOCKED}.{BLOCKED}.1.0 up to {BLOCKED}.{BLOCKED}.25.255
  • {BLOCKED}.{BLOCKED}.210.0 up to {BLOCKED}.{BLOCKED}.250.255
  • {BLOCKED}.{BLOCKED}.1.0 up to {BLOCKED}.{BLOCKED}.26.255
  • {BLOCKED}.{BLOCKED}.252.0 up to {BLOCKED}.{BLOCKED}.255.255
  • {BLOCKED}.{BLOCKED}.140.0 up to {BLOCKED}.{BLOCKED}.165.255
  • {BLOCKED}.{BLOCKED}.60.0 up to {BLOCKED}.{BLOCKED}.90.255
  • {BLOCKED}.{BLOCKED}.90.0 up to {BLOCKED}.{BLOCKED}.115.255
  • {BLOCKED}.{BLOCKED}.85.0 up to {BLOCKED}.{BLOCKED}.120.255
  • {BLOCKED}.{BLOCKED}.60.0 up to {BLOCKED}.{BLOCKED}.85.255
  • {BLOCKED}.{BLOCKED}.50.0 up to {BLOCKED}.{BLOCKED}.60.255
  • {BLOCKED}.{BLOCKED}.140.0 up to {BLOCKED}.{BLOCKED}.165.255
  • {BLOCKED}.{BLOCKED}.150.0 up to {BLOCKED}.{BLOCKED}.175.255
  • {BLOCKED}.{BLOCKED}.140.0 up to {BLOCKED}.{BLOCKED}.165.255
  • {BLOCKED}.{BLOCKED}.40.0 up to {BLOCKED}.{BLOCKED}.65.255
  • {BLOCKED}.{BLOCKED}.185.0 up to {BLOCKED}.{BLOCKED}.210.255
  • {BLOCKED}.{BLOCKED}.100.0 up to {BLOCKED}.{BLOCKED}.110.255
  • {BLOCKED}.{BLOCKED}.230.0 up to {BLOCKED}.{BLOCKED}.255.255
  • {BLOCKED}.{BLOCKED}.200.0 up to {BLOCKED}.{BLOCKED}.225.255
  • {BLOCKED}.{BLOCKED}.90.0 up to {BLOCKED}.{BLOCKED}.115.255
  • {BLOCKED}.{BLOCKED}.185.0 up to {BLOCKED}.{BLOCKED}.200.255
  • {BLOCKED}.{BLOCKED}.5.0 up to {BLOCKED}.{BLOCKED}.15.255
  • {BLOCKED}.{BLOCKED}.120.0 up to {BLOCKED}.{BLOCKED}.150.255
  • {BLOCKED}.{BLOCKED}.211.0 up to {BLOCKED}.{BLOCKED}.240.255
  • {BLOCKED}.{BLOCKED}.85.0 up to {BLOCKED}.{BLOCKED}.100.255
  • {BLOCKED}.{BLOCKED}.35.0 up to {BLOCKED}.{BLOCKED}.75.255
  • {BLOCKED}.{BLOCKED}.50.0 up to {BLOCKED}.{BLOCKED}.60.255
  • {BLOCKED}.{BLOCKED}.70.0 up to {BLOCKED}.{BLOCKED}.85.255
  • {BLOCKED}.{BLOCKED}.20.0 up to {BLOCKED}.{BLOCKED}.38.255
  • {BLOCKED}.{BLOCKED}.180.0 up to {BLOCKED}.{BLOCKED}.200.255
  • {BLOCKED}.{BLOCKED}.140.0 up to {BLOCKED}.{BLOCKED}.165.255
  • {BLOCKED}.{BLOCKED}.90.0 up to {BLOCKED}.{BLOCKED}.110.255
  • {BLOCKED}.{BLOCKED}.145.0 up to {BLOCKED}.{BLOCKED}.175.255
  • {BLOCKED}.{BLOCKED}.220.0 up to {BLOCKED}.{BLOCKED}.220.255
  • {BLOCKED}.{BLOCKED}.230.0 up to {BLOCKED}.{BLOCKED}.255.255
  • {BLOCKED}.{BLOCKED}.40.0 up to {BLOCKED}.{BLOCKED}.60.255
  • {BLOCKED}.{BLOCKED}.185.0 up to {BLOCKED}.{BLOCKED}.200.255
  • {BLOCKED}.{BLOCKED}.1.0 up to {BLOCKED}.{BLOCKED}.20.255
  • {BLOCKED}.{BLOCKED}.65.0 up to {BLOCKED}.{BLOCKED}.75.255
  • {BLOCKED}.{BLOCKED}.210.0 up to {BLOCKED}.{BLOCKED}.240.255
  • {BLOCKED}.{BLOCKED}.75.0 up to {BLOCKED}.{BLOCKED}.90.255
  • {BLOCKED}.{BLOCKED}.150.0 up to {BLOCKED}.{BLOCKED}.175.255
  • {BLOCKED}.{BLOCKED}.1.0 up to {BLOCKED}.{BLOCKED}.15.255.
  • {BLOCKED}.{BLOCKED}.145.0 up to {BLOCKED}.{BLOCKED}.160.255
  • {BLOCKED}.{BLOCKED}.150.0 up to {BLOCKED}.{BLOCKED}.165.255
  • {BLOCKED}.{BLOCKED}.230.0 up to {BLOCKED}.{BLOCKED}.255.255
  • {BLOCKED}.{BLOCKED}.25.0 up to {BLOCKED}.{BLOCKED}.55.255
  • {BLOCKED}.{BLOCKED}.50.0 up to {BLOCKED}.{BLOCKED}.80.255
  • {BLOCKED}.{BLOCKED}.85.0 up to {BLOCKED}.{BLOCKED}.115.255
  • {BLOCKED}.{BLOCKED}.10.0 up to {BLOCKED}.{BLOCKED}.30.255
  • {BLOCKED}.{BLOCKED}.155.0 up to {BLOCKED}.{BLOCKED}.175.255
  • {BLOCKED}.{BLOCKED}.165.0 up to {BLOCKED}.{BLOCKED}.185.255
  • {BLOCKED}.{BLOCKED}.230.0 up to {BLOCKED}.{BLOCKED}.255.255
  • {BLOCKED}.{BLOCKED}.85.0 up to {BLOCKED}.{BLOCKED}.105.255
  • {BLOCKED}.{BLOCKED}.110.0 up to {BLOCKED}.{BLOCKED}.130.255
  • {BLOCKED}.{BLOCKED}.180.0 up to {BLOCKED}.{BLOCKED}.210.255
  • {BLOCKED}.{BLOCKED}.155.0 up to {BLOCKED}.{BLOCKED}.180.255
  • {BLOCKED}.{BLOCKED}.60.0 up to {BLOCKED}.{BLOCKED}.70.255
  • {BLOCKED}.{BLOCKED}.155.0 up to {BLOCKED}.{BLOCKED}.180.255
  • {BLOCKED}.{BLOCKED}.152.0 up to {BLOCKED}.{BLOCKED}.175.255
  • {BLOCKED}.{BLOCKED}.130.0 up to {BLOCKED}.{BLOCKED}.165.255
  • {BLOCKED}.{BLOCKED}.210.0 up to {BLOCKED}.{BLOCKED}.245.255
  • {BLOCKED}.{BLOCKED}.220.0 up to {BLOCKED}.{BLOCKED}.255.255
  • {BLOCKED}.{BLOCKED}.1.0 up to {BLOCKED}.{BLOCKED}.25.255
  • {BLOCKED}.{BLOCKED}.170.0 up to {BLOCKED}.{BLOCKED}.180.255
  • {BLOCKED}.{BLOCKED}.40.0 up to {BLOCKED}.{BLOCKED}.70.255
  • {BLOCKED}.{BLOCKED}.45.0 up to {BLOCKED}.{BLOCKED}.65.255
  • {BLOCKED}.{BLOCKED}.25.0 up to {BLOCKED}.{BLOCKED}.50.255
  • {BLOCKED}.{BLOCKED}.190.0 up to {BLOCKED}.{BLOCKED}.200.255
  • {first 3 octets of computer IP Address}:0 up to {first 3 octets of computer IP Address}:255
  • {first 2 octets of computer IP Address}:0:0 up to {first 2 octets of computer IP Address}:255:255