TrojanSpy.Win32.CASBANEIRO.RG
2024年10月14日
平台:
Windows
总體(tǐ)风险等级:
潜在破坏:
潜在分(fēn)布:
感染次数:
信息暴露:
恶意软件类型:
Trojan Spy
有(yǒu)破坏性?:
没有(yǒu)
加密?:
是的
In the Wild:
是的
概要
感染途徑: 从互联网上下载, 下载了其他(tā)恶意软件
它以文(wén)件的形式出现在系统中(zhōng),可(kě)能(néng)是其他(tā)恶意软件投放的,或者是用(yòng)户在访问恶意网站时无意中(zhōng)下载的。
它执行遠(yuǎn)程恶意用(yòng)户的命令,有(yǒu)效地攻击受感染的系统。 它连接到网站,发送和接收信息。
它记录用(yòng)户的按键,窃取信息。
技(jì )术详细信息
文(wén)件大小(xiǎo): 110772095 bytes
报告日期: DLL
内存驻留: 是的
初始樣本接收日期: 2024年10月2日
Payload: 连接到 URL/Ip, 植入文(wén)件, 收集系统信息, 窃取信息, 修改系统注册表
新(xīn)病毒详细信息
它以文(wén)件的形式出现在系统中(zhōng),可(kě)能(néng)是其他(tā)恶意软件投放的,或者是用(yòng)户在访问恶意网站时无意中(zhōng)下载的。
安(ān)装(zhuāng)
它植入下列文(wén)件:
- %Public%\Documents\HOME.tmp
它添加下列进程:
- https://{BLOCKED}licalcados.shop/modulo/ → if %Public%\Documents\HOME.tmp does not exist
自启动技(jì )术
它添加下列注册表项,在系统每次启动时自行执行:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Car{5 Random Characters} = {Loader File Path}\{Loader File Name}.exe
后门例程
它执行遠(yuǎn)程恶意用(yòng)户的下列命令:
- <|ALINHA_TELA|>
- <|BEST|>
- <|CARGASI|>
- <|FECHAR_RECORTE|>
- <|FECHASI_TELA|>
- <|KEYBOARD|>
- <|OK|> → Send an <|Info|> packet back to the C2 server
- <|PING|> → Heartbeat command that sends <|PONG|> packet back to the C2 server
- <|PRINCIPAL|>
- <|QUADRADO_FECHADO|>
- <|RECCCCCC|>
- <|RECORT2018|>
- <|RECORT2020|>
- <|RECVS|>
- <|REQUESTKEYBOARD|>
- <|TAMANHO|>
- Execute Arbitrary Commands
它连接到下列网站,发送和接收信息:
- http://{BLOCKED}e.com.br/AEIOU/index.php?#HGUYG6758765vUHVUYIV
- http://{BLOCKED}stalar.me/brstorm/getdata.php
- http://{BLOCKED}stalar.me/messages.zip
- http://{BLOCKED}ydesk.online/xxx.txt
- https://{BLOCKED}ogle.com/document/u/0/export?format=txt&id={BLOCKED}9jQYFPhwJfSSR6g67XDroAJeyuofLD4KiDsB_M
- https://{BLOCKED}ogle.com/document/u/0/export?format=txt&id={BLOCKED}rXM-ISJrLq3fiFgDag9KUdUnZb3QIo6VJYBWno
- https://{BLOCKED}ogle.com/document/u/0/export?format=txt&id={BLOCKED}TMf-t6z0AVQuZIagntGVtfEX4FiFFGkHp99NTYk
- https://{BLOCKED}ogle.com/document/u/4/export?format=txt&id={BLOCKED}Mfx_Ed_XRm0veUu8cvKDt3pgsBii3nzbNO1V-o
- https://{BLOCKED}ogle.com/document/u/4/export?format=txt&id={BLOCKED}nOq3uCrnken6nxpsV7doKZddt1Pe6ENIWTreW0
- https://{BLOCKED}ogle.com/document/u/4/export?format=txt&id={BLOCKED}n3o4Ncjt2A7l0QYyO-WHmfXGzAVP5-EqiqoOUo
- https://{BLOCKED}ogle.com/document/u/4/export?format=txt&id={BLOCKED}qJD792RDtAgMYd3xt0yiOHprfQKynu1yIK6P0Q
- https://{BLOCKED}ogle.com/document/u/4/export?format=txt&id={BLOCKED}wbY_5WouaywEKCaSclTZHznClfuO9FTigbqKQ
- https://{BLOCKED}ogle.com/document/u/4/export?format=txt&id={BLOCKED}7oXDFhR9OjcydAWd7HtUAPz4bbBdoTI0xu3gU
- https://{BLOCKED}ogle.com/document/u/4/export?format=txt&id={BLOCKED}nPbKNR35VUkgnzk06sqNgXLuY_3RuRfxTVc8aw
- https://{BLOCKED}ogle.com/file/d/{BLOCKED}Y494DvAuW1XNV6ANNdhUgeycVjq3H/view
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}iHcpW41LVyRB0sefNrst7hKAzl0&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}yR6VHERIPpdO6MrV3fh7qadvqI-&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}d5jnMcF1PJ_jZqfPiI4ZjuwMatn&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}bNcPqKKMjTUmaNU7NmiFwhF3jfJ&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}W-fUhIu121-dffSkd2zJonTmC0&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}p3XGdauZjlbTD8HUAUEWt79oxno&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}wA8bBF8r0RLQPQtNp4F4OTDCiJG&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}ZQ9H1cF0A6axJnF08XRLKtWqnVk&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}Q0qWN70oY6QIbVXJK7u40A2Re4R&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}WPCgS7PcQhKZieAdXWgD3iyeTFQ&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}4B5r3Eulp7Z_dJu9ZayAh46P5iH&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}fDHEbJlkieTSi9f8iYmHsAY1lk&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}ycVl8nvqo6XO-ClJ4OMnOnDWxSq&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}Btodcroz8-LPk8MSEvvu9VU888e&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}X6NpOM7NLUEHSQmnBkRmtr9o6tz&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}wqX3rF3QEQXNjH_jcZqPLiWy2uz&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}kltSIkaHP-_1XHDQqW44pndIpNG&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}JOXSBQvqqpuc9-PO9KlJ5Byji52&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}UCl3TRBX_QqpZ21GjAofB88RPvn&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}T3mTWGhlnUnGFAH7MerS6jXMXM9&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}vuVEeT7HqFOp28jzTfamTx3CBh4&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}iBsbzOgPi4nL2WoGcJq5yIL8&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}Z-Swx9HkizMi8VG3lf8nKNxhJtj&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}F2rWfDJdZcWUjOE2kiVI-bCFyHP&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}ZJJmomAT9Wiqfz6YHSrdw-9pCQa&export=download
- https://{BLOCKED}oogle.com/uc?authuser=0&id={BLOCKED}vVBYyB-qfHa-hc9nPdlWq9JsId&export=download
信息窃取
它收集下列数据:
- From the infected machine:
- OS version
- OS architecture (32-bit or 64-bit)
- Computer Name
- User Name
- IP and Geolocation of the Infected machine
- Screenshot of the Affected System
- From the user:
- Banking credentials (i.e. username, password, security code, etc.)
它记录用(yòng)户的按键,窃取信息。
其他(tā)详细信息
该程序执行以下操作(zuò):
- It requires to be decrypted by its loader in order to run successfully.
- It connects to the following URL to identify the affected machine's geolocation:
- http://{BLOCKED}i.com/json/
- It can start or stop the Desktop Window Manager using the following commands:
- cmd.exe /C net start uxsms
- cmd.exe /C net stop uxsms
- It can hide and unhide the Windows task bar.
- It can control and simulate mouse clicks and movements.
- It can restart the affected system.
- It can delete the following folders:
- %ProgramData\nameAPP
- %ProgramData\nameCAIXA
- %ProgramData\regita
- %ProgramData\reg8
- %ProgramData\namePC
- %ProgramData\txtA
- %ProgramData\txtC
- It can terminate the following processes:
- c6bank.exe
- iexplore.exe
- firefox.exe
- chrome.exe
- opera.exe
- office.exe
- AplicativoBradesco.exe
- itauaplicativo.exe
- MicrosoftEde.exe
- MicrosoftEdgeCP.exe
- NavegadorExclusivoBradesco.exe
- It monitors if the victim will access specific banking websites and create an overlay window over the legitimate web browser window and connect them to the C&C server.
- It identifies specific bank/banking-related websites by looking for the following strings:
- © Santander
- © Banco do Brasil
- santander
- banco do brasil
- bancobrasil.com.br
- bb clt
- auto atendimento banco do brasil
- bb pj
- netbankingcai
- internet banking
- ofertas para empresas
- sicoob es
- - sicoob -
- sicoobnet
- sistema de cooperativas de crédito
- banco do nordeste
- mercado bitcoin
- banco mufg brasil
- abc brasil
- unicred
- cresol
- banco paulista
- credisis
- pagueveloz
- banese
- banco original
- banco digital
- superdigital
- banco sofisa direto
- safrapay
- pine online
- Banco Sofisa
- credit suisse
- tribanco online
- banco da amazônia
- advanced - painel de clientes
- banco alfa
- contasuper
- conta super empresas
- desbank
- banco sofisa direto
- btg pactual
- bem vindo ao seu bmg
- login | ativa investimentos
- ibi on-line
- acesso restrito - banco cedula
- banco cetelem
- fair corretor
- banco fibra
- banco industrial do brasil
- bem-vindo ao seu banco
- keb hana
- banco luso
- bancornx
- modal banking
- banking
- bancogenial
- banco genial
- banco paulista
- banco pine
- banco brp
- bancosemear
- e-moneyger
- banco topazio
- tribanco
- banco tricury
- cecoop
- ccb brasil
- cm capital
- login corporate
- credisan
- extrato associados
- credsol
- home - frete corretora
- getmoney
- guide|login
- nova futura
- nbc bank
- omni - area do cliente
- cadastro|parmetal
- banco|senff
- servicoop
- travelex bank
- uniprime central nacional
- banco fidis
- psa banco
- banco randon
- finamax
- santinvest - home
- fitbank
- hiperbanco
- conta digital
- bandeprev
- bocom bbm
- banda da amazônia
- banco fibra
- banco industrial
- netbaking
- banco master
- banco mufg
- banco rendimento
- grafeno
- binance
- novadax
- bitcoin
- criptomoedas
- bitypreco
- cripto
- btg empresas
- banco safra
- efi - login
- mercado pago
- The following are samples of the overlay that the malware will create:
解决方案
最小(xiǎo)扫描引擎: 9.800
First VSAPI Pattern File: 19.650.08
VSAPI 第一样式发布日期: 2024年10月14日
VSAPI OPR样式版本: 19.651.00
VSAPI OPR样式发布日期: 2024年10月15日
Step 1
对于Windows ME和XP用(yòng)户,在扫描前,请确认已禁用(yòng)系统还原功能(néng),才可(kě)全面扫描计算机。
Step 2
注意:在此恶意软件/间谍软件/灰色软件执行期间,并非所有(yǒu)文(wén)件、文(wén)件夹和注册表键值和项都会安(ān)装(zhuāng)到您的计算机上。这可(kě)能(néng)是由于不完整的安(ān)装(zhuāng)或其他(tā)操作(zuò)系统条件所致。如果您没有(yǒu)找到相同的文(wén)件/文(wén)件夹/注册表信息,请继续进行下一步操作(zuò)。
Step 3
重启进入安(ān)全模式
[ 更多(duō) ]
Step 4
删除该注册表值
[ 更多(duō) ]
注意事项:错误编辑Windows注册表会导致不可(kě)挽回的系统故障。只有(yǒu)在您掌握后或在系统管理(lǐ)员的帮助下才能(néng)完成这步。或者,请先阅读Microsoft文(wén)章,然后再修改计算机注册表。
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Car{5 Random Characters} = {Loader File Path}\{Loader File Name}.exe
- Car{5 Random Characters} = {Loader File Path}\{Loader File Name}.exe
Step 5
搜索和删除该文(wén)件
[ 更多(duō) ]
有(yǒu)些组件文(wén)件可(kě)能(néng)是隐藏的。请确认在高级选项中(zhōng)已选中(zhōng)搜索隐藏文(wén)件和文(wén)件夹复选框,使查找结果包括所有(yǒu)隐藏文(wén)件和文(wén)件夹。 - %Public%\Documents\HOME.tmp
Step 6
重启进入正常模式,使用(yòng)亚信安(ān)全产(chǎn)品扫描计算机,检测TrojanSpy.Win32.CASBANEIRO.RG文(wén)件 如果检测到的文(wén)件已被亚信安(ān)全产(chǎn)品清除、删除或隔离,则无需采取进一步措施。可(kě)以选择直接删除隔离的文(wén)件。请参阅知识库页(yè)面了解详细信息。