TrojanSpy.Win32.RISEPRO.C

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Diese Malware hat keine Dateiinfektionsroutine.

Diese Malware hat keine Verbreitungsroutine.

Diese Malware hat keine Backdoor-Routine.

Sammelt bestimmte Informationen auf dem betroffenen Computer.

Verbindet sich mit einer bestimmten Website, um Daten zu versenden und zu empfangen.

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Infektionspunkte

Diese Malware hat keine Dateiinfektionsroutine.

Installation

Schleust eine Kopie von sich selbst in folgende Ordner ein, wobei verschiedene Dateinamen verwendet werden:

• %All Users Profile%\MPGPH131\MPGPH131.exe
• %AppDataLocal%\RageMP131\RageMP131.exe

Schleust die folgenden Dateien ein:

• %User Temp%\adobe{12 Random Characters}\Autofill\{Web Browser Name}_Default.txt
• %User Temp%\adobe{12 Random Characters}\CC\{Web Browser Name}_Default.txt
• %User Temp%\adobe{12 Random Characters}\Cookies\{Web Browser Name}_Default.txt
• %User Temp%\adobe{12 Random Characters}\Downloads\{Web Browser Name}_Default.txt
• %User Temp%\adobe{12 Random Characters}\Google Accounts\{Web Browser Name}_Default.txt
• %User Temp%\adobe{12 Random Characters}\information.txt → contains gathered system information
• %User Temp%\adobe{12 Random Characters}\passwords.txt → contains gathered passwords
• %User Temp%\adobe{12 Random Characters}\Plugins\{Web Browser Name}_Default.txt
• %User Temp%\adobe{12 Random Characters}\screenshot.png → screenshot of current display
• %User Temp%\adobe{12 Random Characters}\Wallets\{Web Browser Name}_Default.txt
• %User Temp%\heidi{12 Random Characters}\{12 Random Characters}Cookies
• %User Temp%\heidi{12 Random Characters}\{12 Random Characters}History
• %User Temp%\heidi{12 Random Characters}\{12 Random Characters}Login Data
• %User Temp%\heidi{12 Random Characters}\{12 Random Characters}Web Data
• %User Temp%\rage131MP.tmp
• %User Temp%\{23 Random Characters}.zip → Contains all gathered information, deleted afterwards

(Hinweis: %User Temp% ist der Ordner 'Temp' des aktuellen Benutzers, normalerweise C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Temp unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\AppData\Local\Temp unter Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).)

Fügt die folgenden Prozesse hinzu:

• schtasks /create /f /RU "{Username}" /tr "%All Users Profile%\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
• schtasks /create /f /RU "{Username}" /tr "%All Users Profile%\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Erstellt die folgenden Ordner:

• %All Users Profile%\MPGPH131
• %AppDataLocal%\RageMP131
• %User Temp%\adobe{12 Random Characters}
• %User Temp%\adobe{12 Random Characters}\Autofill
• %User Temp%\adobe{12 Random Characters}\CC
• %User Temp%\adobe{12 Random Characters}\Cookies
• %User Temp%\adobe{12 Random Characters}\Downloads
• %User Temp%\adobe{12 Random Characters}\FTP
• %User Temp%\adobe{12 Random Characters}\FTP\FileZilla
• %User Temp%\adobe{12 Random Characters}\FTP\TotalCommander
• %User Temp%\adobe{12 Random Characters}\Games
• %User Temp%\adobe{12 Random Characters}\Games\Battle.net
• %User Temp%\adobe{12 Random Characters}\Games\FeatherClient
• %User Temp%\adobe{12 Random Characters}\Games\Growtopia
• %User Temp%\adobe{12 Random Characters}\Games\LunarClient
• %User Temp%\adobe{12 Random Characters}\Games\Minecraft
• %User Temp%\adobe{12 Random Characters}\Games\Steam
• %User Temp%\adobe{12 Random Characters}\Games\TLauncher
• %User Temp%\adobe{12 Random Characters}\Google Accounts
• %User Temp%\adobe{12 Random Characters}\Messengers
• %User Temp%\adobe{12 Random Characters}\Messengers\Element
• %User Temp%\adobe{12 Random Characters}\Messengers\ICQ
• %User Temp%\adobe{12 Random Characters}\Messengers\Pidgin
• %User Temp%\adobe{12 Random Characters}\Messengers\Signal
• %User Temp%\adobe{12 Random Characters}\Messengers\Skype
• %User Temp%\adobe{12 Random Characters}\Messengers\Tox
• %User Temp%\adobe{12 Random Characters}\Plugins
• %User Temp%\adobe{12 Random Characters}\VPN
• %User Temp%\adobe{12 Random Characters}\VPN\OpenVPN Connect
• %User Temp%\adobe{12 Random Characters}\Wallets
• %User Temp%\heidi{12 Random Characters}
• %User Temp%\heidi{12 Random Characters}\{12 Random Characters}Cookies
• %User Temp%\heidi{12 Random Characters}\{12 Random Characters}History
• %User Temp%\heidi{12 Random Characters}\{12 Random Characters}Login Data
• %User Temp%\heidi{12 Random Characters}\{12 Random Characters}Login Data For Account
• %User Temp%\heidi{12 Random Characters}\{12 Random Characters}Web Data

(Hinweis: %User Temp% ist der Ordner 'Temp' des aktuellen Benutzers, normalerweise C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Temp unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\AppData\Local\Temp unter Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).)

Autostart-Technik

Fügt folgende Registrierungseinträge hinzu, um bei jedem Systemstart automatisch ausgeführt zu werden.

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
RageMP131 = %AppDataLocal%\RageMP131\RageMP131.exe

Verbreitung

Diese Malware hat keine Verbreitungsroutine.

Backdoor-Routine

Diese Malware hat keine Backdoor-Routine.

Datendiebstahl

Sammelt die folgenden Informationen auf dem betroffenen Computer:

• System Information:
  • Malwre Build Number
  • Machine ID
  • GUID
  • HWID
  • Current Execution Path
  • Working Directory
  • IP Address
  • Location
  • OS Version
  • Computer Name
  • User Name
  • Display Resolution
  • Language
  • Current Time
• Hardware Information:
  • Processor
  • CPU Count
  • RAM Amount
  • Video Card
• List of Running Processes
• List of Installed Applications
• Screenshot of Current Display

Andere Details

Verbindet sich mit der folgenden Website, um Daten zu versenden und zu empfangen:

• tcp://{BLOCKED}.{BLOCKED}.132.74:58709

Es macht Folgendes:

• It connects to the following URLs to get the affected system's location:
  • https://d{BLOCKED}.com/demo/home.php?s={IP Address of Affected Machine}
  • https://i{BLOCKED}fo.io/widget/demo/{IP Address of Affected Machine}
  • https://www.{BLOCKED}ind.com/geoip/v2.1/city/me
• It terminates itself if the country code of the IP address location is any of the following:
  • RU
  • KZ
  • BY
  • AM
  • UZ
  • MD
  • KG
  • TJ
  • UA
  • AZ
• It exfiltrates browser data (e.g. autofills, browsing history, cookies, download history, credentials/passwords, credit card data, browser extensions) from the following web browsers:
  • 360Browser
  • 7Star
  • Amigo
  • Atom
  • Black Hawk
  • Brave
  • CentBrowser
  • Chedot
  • Chrome
  • Chrome (x86)
  • ChromePlus
  • Chromium
  • Chromodo
  • Citrio
  • CocCoc
  • Comodo Dragon
  • Comodo Ice Dragon
  • Coowon
  • CryptoTab
  • Cyberfox
  • Edge
  • Elements Browser
  • Epic Privacy Browser
  • Firefox
  • Iridium
  • K-Melon
  • Kometa
  • liebao
  • Maxthon3
  • NetboxBrowser
  • Nichrome
  • Opera
  • Opera GX
  • Orbitum
  • Pale Moon
  • QIP SURF
  • SeaMonkey
  • Sleipnir5
  • Sputnik
  • Torch
  • UCozMedia
  • Uran
  • Vivaldi
  • Waterfox
  • Yandex
• It exfiltrates data found on the following applications:
  • Discord
  • DiscordCanary
  • DiscordPTB
  • DiscordDevelopment
  • NVIDIA GeForce Experience
  • OpenVPN Connect
  • Telegram Desktop
• It exfiltrates data on the following crypto wallets:
  • Anoncoin
  • Armory
  • Atomic
  • BBQCoin
  • Bitcoin
  • Coinomi
  • Daedalus Mainnet
  • DashCore
  • devcoin
  • digitalcoin
  • Dogecoin
  • ElectronCash
  • Electrum
  • Electrum-LTC
  • Ethereum
  • Exodus
  • Florincoin
  • Franko
  • Freicoin
  • GoldCoin (GLD)
  • Guarda
  • Infinitecoin
  • IOCoin
  • Ixcoin
  • Ledger Live
  • Liberty Jaxx
  • Litecoin
  • Megacoin
  • Mincoin
  • Monero
  • Namecoin
  • Primecoin
  • Reddcoin
  • Terracoin
  • WalletWasabi
  • YACoin
  • Zcash
• It exfiltrates the following browser wallet extensions and 2FA appilications:
  • Authenticator
  • bhghoamapcdpbohphigoooaddinpkbai
  • Metamask
  • nkbihfbeogaeaoehlefnkodbefgpgknn
  • Jaxx Liberty Extension
  • cjelfplplebdjjenllpjcblmjkfcffne
  • iWallet
  • kncchdigobghenbbaddojjnnaogfppfj
  • BitAppWallet
  • fihkakfobkmkjojpchpfgcmhfjnmnfpi
  • SaturnWallet
  • nkddgncdjgjfcddamfgcmfnlhccnimig
  • Guildwallet
  • nanjmdknhkinifnkgdcggcfnhdaammmj
  • MewCX
  • nlbmnnijcnlegkjjpcfjclmcfggfefdm
  • Wombat
  • amkmjjmmflddogmhpjloimipbofnfjih
  • CloverWallet
  • nhnkbkgjikgcigadomkphalanndcapjk
  • NeoLine
  • cphhlgmgameodnhkjdmkpanlelnlohao
  • RoninWallet
  • fnjhmkhhmkbjkkabndcnnogagogbneec
  • LiqualityWallet
  • kpfopkelmapcoipemfendmdcghnegimn
  • EQUALWallet
  • blnieiiffboillknjnepogjhkgnoapac
  • Guarda
  • hpglfhgfnhbgpjdenjgmdgoeiappafln
  • Coinbase
  • hnfanknocfeofbddgcijnmhnfnkdnaad
  • NiftyWallet
  • jbdaocneiiinmjbjlgalhcelgbejmnid
  • Yoroi
  • ffnbelfdoeiohenkjibnmadjiehjhajb
  • BinanceChainWallet
  • fhbohimaelbohpjbbldcngcnapndodjp
  • TronLink
  • ibnejdfjmmkpcnlpebklmnkoeoihofec
  • Phantom
  • bfnaelmomeimhlpmgjnjophhpkkoljpa
  • Oxygen
  • fhilaheimglignddkjgofkcbgekhenbh
  • PaliWallet
  • mgffkfbidihjpoaomajlbgchddlicgpn
  • Bolt X
  • aodkkagnadcbobfpggfnjeongemjbjca
  • ForboleX
  • fmblappgoiilbgafhjklehhfifbdocee
  • XDEFI Wallet
  • hmeobnfnfcmdkdcmlblgagmfpfboieaf
  • Maiar DeFi Wallet
  • dngmlblcodfobpdpecaadgfbcggfjfnm
  • KardiaChain
  • pdadjkfkgcafgbceimcpbkalnfnepbnk
  • coin98
  • aeachknmefphepccionboohckonoeemg
  • Terra
  • aiifbnbfobpmeekipheeijimdpnlpgpp
  • Harmony
  • fnnegphlobjdpkhecapkijjdkgcjhkib
  • Nami
  • lpfcbjknijpeeillifnkikgncikgfhdo
  • Exodus_E
  • aholpfdialjgjfhomihkjbmgjidlcdno
  • MathWallet
  • afbcbjpbpfadlkmhmclhkeeodmamcflc
  • Keplr
  • dmkamcknogkgcdfhhbddcghachkejeap
  • Sollet
  • fhmfendgdocmcbmfikdcogofphimnkno
  • AuroWallet
  • cnmamaachppnkjgnildpdmkaakejnhae
  • PolymeshWallet
  • jojhfeoedkpkglbfimdfabpdfjaoolaf
  • ICONex
  • flpiciilemghbmfalicajoolhkkenfel
  • EVER Wallet
  • cgeeodpfagjceefieflmdfphplkenlfk
  • Rabby
  • acmacodkjbdgmoleebolmdjonilkdbch
  • BraveWallet
  • odbfpeeihdkbihmopkbjmoonfanlbfcl
  • WavesKeeper
  • lpilbniiabackdjcionkobglmddfbcjo
  • Solflare
  • bhhhlbepdkbapadjdnnojkbgioiodbic
  • CyanoWallet
  • dkdedlpgdmmkkfjabffeganieamfklkm
  • KHC
  • hcflpincpppdclinealmandijcmnkbgn
  • TezBox
  • mnfifefkajgofkcjkemidiaecocnkjeh
  • Temple
  • ookjlbkiijinhpmnjffcofjonbfbgaoc
  • Goby
  • jnkelfanjkeadonecabehalmbgpfodjm
  • Braavos wallet
  • jnlgamecbpmbajjfhmmmlhejkemejdma
  • Eth and Polk Web3 Wallet
  • kkpllkodjeloidieedojogacfhpaihoh
  • OKX Wallet
  • mcohilncbfahbmgdjkbpemcciiolgcge
  • Sender Wallet
  • epapihdplajcdnnkdeiahlgigofloibg
  • Hashpack
  • gjagmgiddbbciopjhllkdnddhcglnemk
  • Eternl
  • kmhcihpebfmpgmihbkipmjlmmioameka
  • GeroWallet
  • bgpipimickeadkjlklgciifhnalhdjhe
  • Pontem Aptos Wallet
  • phkbamefinggmakgklpkljjmgibohnba
  • Petra Aptos Wallet
  • ejjladinnckdgjemekebdpeokbikhfci
  • Opera Wallet
  • gojhcdgcpbpfigcaejpfhfegekdgiblk
  • EMartian Aptos Wallet
  • efbglgofoippbgcjepnhiblaibcnclgk
  • Finnie
  • cjmkndjhnagcfbpiemnkdpomccnjblmj
  • Leap Terra Wallet
  • aijcbedoijmgnlmjeegjaglmepbmpkpi
  • Trust Wallet
  • egjidjbpglichdcondbcbdnbeeppgdph
  • Magic Eden Wallet
  • mkpegjkblkkefacfnmkajcjmabijhclg
  • Backpack
  • aflkmfhebedbjioipglgcbcmnbpgliof
  • MetaMask Edge
  • ejbalbakoplchlghecdalmeeeajnimhm
  • Venom
  • ojggmchlghnjlapmfbnjholfjkiidbch
  • Sui
  • opcgpfmipidbgpenhmajoajpbobppdil
  • Fewcha
  • ebfidpplhabeedpnhjnobghokpiioolj
  • Core
  • agoakfejjabomempkjlepdflaleeobhb
  • Tokenpocket
  • mfgccjchihfkkindfppnaooecgfneiii
  • Safepal
  • lgmpcpglpngdoalbgeoldeajfclnhafa
  • Kaikas
  • jblndlipeogpafnldhgmapagcccfchpi
  • XMR.PT
  • eigblbgjknlfbajkfhopmcojidlgcehm
  • Goblin Wallet
  • ghpilmjholiicaobfjdkefcogmgaabif
  • EOS Authenticator
  • oeljdldpnmdbchonielidgobddffflal
  • GAuth Authenticator
  • ilgcnhelpchnceeipipijaljkblbcobl
  • Trezor Password Manager
  • imloifkgjagghnncjkhggdhalmcnfklk
  • MYKI
  • bmikpgodpkclnkgmnpphehdgcimmided
  • Splikity
  • jhfjfclepacoldmjmkmdlmganfaalklb
  • CommonKey
  • chgfefjpcobfbnpmiokfjjaglahmnded
  • Zoho Vault
  • igkpcodhieompeloncfnbekccinhapdb
  • Norton Password Manager
  • admmjipmmciaobhojoghlmleefbicajg
  • Avira Password Manager
  • caljgklbbfbcjjanaijlacgncafpegll
• It exfiltrates user credentials found on the following email clients:
  • Outlook
  • Thunderbird
• It exfiltrates user credentials found on the following gaming applications:
  • Battle.net
  • FeatherCLient
  • Growtopia
  • LunarClient
  • Minecraft
  • Steam
  • TLauncher
• It exfiltrates user credentials found on the following messaging clients:
  • Element
  • ICQ
  • Pidgin
  • Skype
  • Tox
• It exfiltrates user data found on the following FTP clients:
  • FileZilla
  • TotalCommander