Analysis by: Eleazar Valles
ALIASES:

W64/GenKryptik.FVXY!tr (FORTINET)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan Spy

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 530,432 bytes
File Type: DLL
Memory Resident: Yes
Initial Samples Received Date: 13 Jun 2022

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy adds the following folders:

  • %System%\{random}
  • %AppDataLocal%\{random}

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops and executes the following files:

  • %System%\{random}\{random characters}.{3 random characters}
  • %AppDataLocal%\{random}\{random characters}.{3 random characters}

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

  • %System%\regsvr32.exe "%System%\{random}\{random characters}.{3 random characters}"
  • %System%\regsvr32.exe "%AppDataLocal%\{random}\{random characters}.{3 random characters}"

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other System Modifications

This Trojan Spy adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\{File name of dropped file}
ImagePath = %System%\regsvr32.exe "%System%\{random}\{random characters}.{3 random characters}"

Other Details

This Trojan Spy connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.196.132:443
  • http://{BLOCKED}.{BLOCKED}.73.194:443
  • http://{BLOCKED}.{BLOCKED}.16.18:443
  • http://{BLOCKED}.{BLOCKED}.252.195:443
  • http://{BLOCKED}.{BLOCKED}.202.34:443
  • http://{BLOCKED}.{BLOCKED}.232.124:443
  • http://{BLOCKED}.{BLOCKED}.131.28:8080
  • http://{BLOCKED}.{BLOCKED}.227.76:8080
  • http://{BLOCKED}.{BLOCKED}.196.120:8080
  • http://{BLOCKED}.{BLOCKED}.163.214:443
  • http://{BLOCKED}.{BLOCKED}.112.196:8080
  • http://{BLOCKED}.{BLOCKED}.98.99:8080
  • http://{BLOCKED}.{BLOCKED}.28.102:8080
  • http://{BLOCKED}.{BLOCKED}.146.25:7080
  • http://{BLOCKED}.{BLOCKED}.240.217:443
  • http://{BLOCKED}.{BLOCKED}.99.3:8080
  • http://{BLOCKED}.{BLOCKED}.109.124:443
  • http://{BLOCKED}.{BLOCKED}.201.15:8080
  • http://{BLOCKED}.{BLOCKED}.124.41:7080
  • http://{BLOCKED}.{BLOCKED}.76.89:8080
  • http://{BLOCKED}.{BLOCKED}.8.30:8080
  • http://{BLOCKED}.{BLOCKED}.21.224:8080
  • http://{BLOCKED}.{BLOCKED}.28.33:8080
  • http://{BLOCKED}.{BLOCKED}.75.120:443
  • http://{BLOCKED}.{BLOCKED}.246:8080
  • http://{BLOCKED}.{BLOCKED}.88.10:8080
  • http://{BLOCKED}.{BLOCKED}.39.149:8080
  • http://{BLOCKED}.{BLOCKED}.226.45:443
  • http://{BLOCKED}.{BLOCKED}.115.99:8080
  • http://{BLOCKED}.{BLOCKED}.166.162:443
  • http://{BLOCKED}.{BLOCKED}.253.162:8080
  • http://{BLOCKED}.{BLOCKED}.28.199:8080
  • http://{BLOCKED}.{BLOCKED}.45.86:4143
  • http://{BLOCKED}.{BLOCKED}.150.244:8080
  • http://{BLOCKED}.{BLOCKED}.142.56:8080
  • http://{BLOCKED}.{BLOCKED}.66.124:8080
  • http://{BLOCKED}.{BLOCKED}.117.186:8080
  • http://{BLOCKED}.{BLOCKED}.0.91:8080
  • http://{BLOCKED}.{BLOCKED}.193.249:8080
  • http://{BLOCKED}.{BLOCKED}.135.165:8080
  • http://{BLOCKED}.{BLOCKED}.30.83:443
  • http://{BLOCKED}.{BLOCKED}.21.73:7080
  • http://{BLOCKED}.{BLOCKED}.2.232:8080
  • http://{BLOCKED}.{BLOCKED}.242.26:8080
  • http://{BLOCKED}.{BLOCKED}.188.93:443
  • http://{BLOCKED}.{BLOCKED}.140.115:443
  • http://{BLOCKED}.{BLOCKED}.79.14:8080
  • http://{BLOCKED}.{BLOCKED}.98.206:8080
  • http://{BLOCKED}.{BLOCKED}.35.198:8080
  • http://{BLOCKED}.{BLOCKED}.20.25:443
  • http://{BLOCKED}.{BLOCKED}.227.137:8080
  • http://{BLOCKED}.{BLOCKED}.24.231:80
  • http://{BLOCKED}.{BLOCKED}.222.101:443
  • http://{BLOCKED}.{BLOCKED}.66.193:8080
  • http://{BLOCKED}.{BLOCKED}.201.2:443
  • http://{BLOCKED}.{BLOCKED}.115.122:8080
  • http://{BLOCKED}.{BLOCKED}.20.155:443
  • http://{BLOCKED}.{BLOCKED}.251.154:8080
  • http://{BLOCKED}.{BLOCKED}.100.222:8080
  • http://{BLOCKED}.{BLOCKED}.140.238:7080
  • http://{BLOCKED}.{BLOCKED}.222.11:443
  • http://{BLOCKED}.{BLOCKED}.152.127:8080