TrojanSpy.Win32.Muyem.A
Windows
Threat Type: Trojan Spy
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It steals system information.
TECHNICAL DETAILS
Arrival Details
This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan Spy adds the following folders:
- %ProgramData%\{Random String}
- %ProgramData%\{Random String}\files
- %ProgramData%\{Random String}\files\Autofill
- %ProgramData%\{Random String}\files\CC
- %ProgramData%\{Random String}\files\Cookies
- %ProgramData%\{Random String}\files\Downloads
- %ProgramData%\{Random String}\files\Files
- %ProgramData%\{Random String}\files\History
- %ProgramData%\{Random String}\files\Soft
- %ProgramData%\{Random String}\files\Soft\Authy
- %ProgramData%\{Random String}\files\Wallets
- %ProgramData%\{Random String}\files\Wallets\ElectronCash
- %ProgramData%\{Random String}\files\Wallets\Electrum
- %ProgramData%\{Random String}\files\Wallets\ElectrumLTC
- %ProgramData%\{Random String}\files\Wallets\Ethereum
- %ProgramData%\{Random String}\files\Wallets\Exodus
- %ProgramData%\{Random String}\files\Wallets\JAXX
- %ProgramData%\{Random String}\files\Wallets\MultiDoge
(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData in Windows Vista, 7, and 8.)
Dropping Routine
This Trojan Spy drops the following files wherein it saves the information it gathers:
- %ProgramData%\{Random String}\c
- %ProgramData%\{Random String}\history
- %ProgramData%\{Random String}\ld
- %ProgramData%\{Random String}\historych
- %ProgramData%\{Random String}\wd
- %ProgramData%\{Random String}\files\cookie_list.txt
- %ProgramData%\{Random String}\files\outlook.txt
- %ProgramData%\{Random String}\files\information.txt
- %ProgramData%\{Random String}\files\screenshot.jpg
- %ProgramData%\{Random String}\files\Autofill\Google Chrome_Default.txt
- %ProgramData%\{Random String}\files\CC\Google Chrome_Default.txt
- %ProgramData%\{Random String}\files\Cookies\Google Chrome_Default.txt
- %ProgramData%\{Random String}\files\Cookies\cookies_Mozilla Firefox_dxxbjsgn.default.txt
- %ProgramData%\{Random String}\files\Cookies\Edge_Cookies.txt
- %ProgramData%\{Random String}\files\Cookies\IE_Cookies.txt
- %ProgramData%\{Random String}\files\Downloads\Google Chrome_Default.txt
- %ProgramData%\{Random String}\files\Files\Default.zip
- %ProgramData%\{Random String}\files\History\Google Chrome_Default.txt
- %ProgramData%\{Random String}\files\History\history_Mozilla Firefox_dxxbjsgn.default.txt
(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData in Windows Vista, 7, and 8.)
Download Routine
This Trojan Spy accesses the following websites to download files:
- http://{BLOCKED}est.com/380
- http://{BLOCKED}est.com/freebl3.dll
- http://{BLOCKED}est.com/mozglue.dll
- http://{BLOCKED}est.com/msvcp140.dll
- http://{BLOCKED}est.com/nss3.dll
- http://{BLOCKED}est.com/softokn3.dll
- http://{BLOCKED}est.com/vcruntime140.dll
It saves the files it downloads using the following names:
- %ProgramData%\freebl3.dll
- %ProgramData%\mozglue.dll
- %ProgramData%\msvcp140.dll
- %ProgramData%\nss3.dll
- %ProgramData%\softokn3.dll
- %ProgramData%\vcruntime140.dll
(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData in Windows Vista, 7, and 8.)
Information Theft
This Trojan Spy steals system information.
It gathers the following data:
- User credentials from the following:
- Telegram Desktop
- Mozilla Thunderbird
- Filezilla
- Screenshot of the desktop during execution
- Browser Information
- Autofill Data
- Cookies
- Browsing History
- Download History
- Browser Credentials
- System Information
- ISP
- Coordinates
- ZIP
- City
- Country
- IP
- Video Card
- RAM
- CPU Count
- Processsor
- Time Zone
- Local Time
- Keyboard Language
- Display Language
- Display Resolution
- User Name
- Computer Name
- Windows OS
- Working Directory
- GUID
- Machine ID
- Date
- Version
Stolen Information
The stolen information is saved in the following file:
- %ProgramData%\{Random String}\files\US_{GUID}{Date}.zip
(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData in Windows Vista, 7, and 8.)
It sends the gathered information via HTTP POST to the following URL:
- http://{BLOCKED}est.com
Other Details
This Trojan Spy connects to the following URL(s) to get the affected system's IP address:
- http://ip-api.com/line/
It does the following:
- Does not proceed with its routine when the default user locale name are any of the following:
- Russian
- Belarussian
- Uzbek
- Kazakhstan
- Azerbaijani
- It targets the following browsers:
- Chedot
- Mustang
- Suhba
- TorBro
- Elements
- Cent
- QIP
- URAN
- CocCoc
- Vivaldi
- Epic Privacy
- Sputnik
- Maxthon5
- Nichrome
- Comodo Dragon
- Opera
- Orbitum
- Torch
- Amigo
- Kometa
- Chromium
- Google Chrome
- K-Meleon
- IcaCat
- BlackHawk
- Cyberfox
- Waterfox
- Pale Moon
- Mozilla Firefox
- It may also possess the capability to steal information from various cryptocurrency wallets:
- *btc*.dat
- *wallet*.dat
- Targets the following cryptocurrencies:
- JAXX
- MultiDoge
- ElectronCash
- Electrum
- Electrum-LTC
- Ethereum
- Exodus
- Will try to delete itself, the information gathered, and its network activity to destroy any evidence of its execution
SOLUTION
Step 1
Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.
Step 2
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 3
Search and delete this folder
- %ProgramData%\{Random String}
Step 4
Scan your computer with your Trend Micro product to delete files detected as TrojanSpy.Win32.Muyem.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.