TrojanSpy.MSIL.NEGASTEAL.THGAABC

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy drops the following files:

• %Application Data%\BttqxcYvYaRne.exe → Copy of itself
• &User Temp%\tmp{Random 4 Characters}.tmp
• &User Temp%{8 Random Characters}.{3 Random Characters}.ps1 → Deletes Afterwards
• &User Temp%\{8 Random Characters}.{3 Random Characters}.psm1 → Deletes Afterwards
• %AppDataLocal%\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
• %Application Data%\{8 Random Characters}.{3 Random Characters}\Chrome\Default\Cookies
• %Application Data%\{8 Random Characters}.{3 Random Characters}\Firefox\Profiles\dxxbjsgn.default\cookies.sqlite

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• %System%\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "%Application Data%\BttqxcYvYaRne.exe"
• %System%\schtasks.exe" /Create /TN "Updates\BttqxcYvYaRne" /XML "&User Temp%\tmp{Random 4 Characters}.tmp"

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other System Modifications

This Trojan Spy modifies the following file(s):

• %System%\drivers\etc\hosts

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Information Theft

This Trojan Spy gathers the following data:

• Current Time
• Username
• Computer Name
• OS Fullname
• CPU Information
• RAM Information
• IP Address


• Credentials from the following applications:
• Browsers:
• 360 Browser
• 7Star
• Amigo
• BlackHawk
• Brave
• CentBrowser
• Chedot
• Chrome
• Chromium
• Citrio
• Coccoc
• Comodo Dragon
• Cool Novo
• Coowon
• CyberFox
• Edge Chromium
• Elements Browser
• Epic Privacy
• Falkon Browswer
• Firefox
• Flock
• Flock Browser
• IceCat
• IceDragon
• IE/Edge
• Iridium
• K-Meleon
• Kometa
• Liebao Browser
• Opera Stable
• Orbitum
• PaleMoon
• QIP Surf
• QQ Browser
• Safari for Windows
• SeaMonkey
• Sleipnir 6
• Sputnik
• Torch
• UC Browser
• Uran
• Vivaldi
• WaterFox
• Yandex


• Email Clients
• Becky!
• Claws Mail
• eM client
• Eudora
• Foxmail
• IncrediMail
• Mailbird
• Opera Mail
• Outlook
• Pocomail
• Postbox
• The Bat!
• Thunderbird
• Windows Mail App


• FTPs
• CoreFTP
• FileZilla
• FlashFXP
• FTP Commander
• FTP Getter
• FTP Navigator
• SmartFTP
• WinSCP
• WS_FTP


• VPNs
• NordVPN
• OpenVPN
• Private Internet Access


• Instant Messaging Applications
• Discord
• Psi/Psi+
• Trillian


• Other Applications
• Internet Download Manager
• Jdownloader 2.0
• MySQL Workbench


• Connect to the following URL to retrieve affected system's IP address:
• https://{BLOCKED}ify.org

Stolen Information

This Trojan Spy sends the data it gathers to the following email addresses via SMTP:

• Host: {BLOCKED}handsand.com
  Email: in{BLOCKED}handsand.com
  Username: {BLOCKED}0
  Password: {BLOCKED}&W(LN?