TrojanSpy.Win32.VIDAR.YXDFTZ

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Schleust die folgenden Dateien ein:

• %ProgramData%\freebl3.dll
• %ProgramData%\mozglue.dll
• %ProgramData%\msvcp140.dll
• %ProgramData%\nss3.dll
• %ProgramData%\softokn3.dll
• %ProgramData%\vcruntime140.dll

Fügt die folgenden Prozesse hinzu:

• {Malware Path}\{Malware Name}
• %System%\cmd.exe /c timeout /t 6 & del /f /q "{Malware path}" & exit

(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).)

Datendiebstahl

Folgende Daten werden gesammelt:

• Browser Data (e.g. Cookies,History,Autofills,Credentials,Credit Card):
  • Mozilla Firefox
  • Pale Moon
  • Opera
  • Opera Crypto Stable
  • Opera GX Stable
  • Opera Stable
  • Google Chrome
  • Chromium
  • Amigo
  • Torch
  • Vivaldi
  • Comodo Dragon
  • Epic Privacy Browser
  • CocCoc
  • Brave
  • Cent Browser
  • 7Star
  • TOR Browser
  • Chedot Browser
  • Microsoft Edge
  • Microsoft Edge Canary
  • Microsoft Edge Beta
  • Microsoft Edge Dev
  • 360 Browser
  • QQBrowser
  • CryptoTab Browser
  • Thunderbird
• Cryptocurrency Wallet Data:
  • Ethereum
  • Electrum
  • Exodus
  • ElectronCash
  • Multidoge
  • Jaxx Desktop Old
  • Jaxx Desktop
  • Atomic
  • Binance
  • Coinomi
  • Daedalus Mainnet
  • Blockstream Green
  • Wasabi Wallet
  • Bitcoin Core
  • Dogecoin
• Cryptocurrency Browser Extensions:
  • Tronium
  • Trust Wallet
  • Exodus Web3 Wallet
  • Braavos
  • Enkrypt
  • OKX Web3 Wallet
  • Sender
  • Hashpack
  • Eternl
  • GeroWallet
  • Pontem Wallet
  • Petra Wallet
  • Martian Wallet
  • Finnie
  • Leap Terra
  • Microsoft AutoFill
  • Bitwarden
  • KeePass Tusk
  • KeePassXC-Browser
• System Information:
  • Time and Date
  • Version
  • MachineID
  • GUID
  • HWID
  • Malware File Path
  • Work Directory
  • Product Name
  • OS Version and Architecture
  • Install date of OS
  • Antivirus Products
  • Computer Name
  • User Name
  • Dsiplay Resolution
  • Display Language
  • Keyboard Language
  • Local Time
  • Time Zone
• Hardware Information:
  • Processor
  • # of Core
  • # of Threads
  • RAM
  • Video Card
• Runnning Processes
• Installed Software
• Screenshot of current display
• Accounts:
  • Telegram
  • Steam
  • Discord

Entwendete Daten

Sendet die gesammelten Daten über HTTP-POST an den folgenden URL:

• http://{BLOCKED}.{BLOCKED}.{BLOCKED}.250

Andere Details

Es macht Folgendes:

• It terminates itself if any of the following computer name(s) are found in the affected system:
  • JohnDoe
  • HAL9TH
• Drops files in %ProgramData% directory with random names containing the stolen informations then deletes it after exfiltration