Trojan.BAT.SORVEPOTEL.SMYAFJB
Windows

マルウェアタイプ:
トロイの木馬型
破壊活動の有無:
なし
暗号化:
なし
感染報告の有無 :
はい
概要
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
詳細
侵入方法
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
ダウンロード活動
マルウェアは、以下のWebサイトにアクセスし、不正なファイルをダウンロードして実行します。
- https://{BLOCKED}iveuser.com/api/itbi/startup/9a87c6c3017f48cfa4358a2ff50b2575
- Receives a PowerShell script from the URL and loads a .NET DLL reflectively which does the following:
- Checks if current process is executing as Admin
- Terminates itself if found either of the following processes:
- ollydebug
- x64debug
- windbg
- immunity
- ida
- ghidra
- wireshark
- fiddler
- burp
- apimonitor
- Shows the following if one of the mentioned processes is found:
- Receives a PowerShell script from the URL and loads a .NET DLL reflectively which does the following:
- Next stage:
- https://{BLOCKED}iveuser.com/api/v1/{Hashed GUID-based Endpoint Identifier A} → PowerShell script A
- https://{BLOCKED}iveuser.com/api/v1/{Hashed GUID-based Endpoint Identifier B} → PowerShell script B
- Which adds the following process twice to inject next stage to:
- %System%\WindowsPowerShell\v1.0\powershell_ise.exe
- The executable from injected shellcode in PowerShell A does the following:
- It drops the following files:
- %User Startup%\HealthApp-{6 Random Characters from Generated GUID}.bat
- It connects to the following URL to send information:
- https://{BLOCKED}iveuser.com/api/warnings
- It identifies running processes windows if it has navegador exclusivo bradesco then returns banco.braedsco
- If not, it acquires the current URL from the following browsers:
- chrome
- firefox
- msedge
- brave
- iexplore
- If not, it acquires the current URL from the following browsers:
- It monitors for the following URLs from the mentioned web browsers:
- {BLOCKED}rasil.com.br
- {BLOCKED}b.com.br
- {BLOCKED}a.gov.br
- gerenciador.{BLOCKED}a.gov.br
- loginx.{BLOCKED}a.gov.br
- banco.{BLOCKED}co
- {BLOCKED}co.com.br
- cidadetran.{BLOCKED}co
- ne12.{BLOCKED}conetempresa.b.br
- {BLOCKED}e.com
- {BLOCKED}obitcoin.com.br
- {BLOCKED}ntrade.com.br
- electrum
- {BLOCKED}t.com.br
- {BLOCKED}hain.com
- accounts.{BLOCKED}e.com
- pf.{BLOCKED}dernet.com.br
- pj.{BLOCKED}dernetibe.com.br
- {BLOCKED}u.com.br
- {BLOCKED}i.com.br
- ibpj.{BLOCKED}i.com.br
- ibpf.{BLOCKED}i.com.br
- nel.{BLOCKED}b.gov.br
- {BLOCKED}ercadopago.com.br
- meu.{BLOCKED}al.com.br
- empresas.{BLOCKED}al.com.br
- ibpj.{BLOCKED}al.com.br
- {BLOCKED}ul.com.br
- internetbanking.{BLOCKED}a.b.br
- ib.{BLOCKED}a.b.br
- www2s.{BLOCKED}mazonia.com.br
- ecode.{BLOCKED}al.com.br
- {BLOCKED}tildobrasil.com.br
- {BLOCKED}e.com.br
- {BLOCKED}an.com.br
- {BLOCKED}d.com.br
- {BLOCKED}a.com.br
- {BLOCKED}mpresas.com.br
- ib.{BLOCKED}e.com.br
- {BLOCKED}e.com.br
- {BLOCKED}mg.com.br
- {BLOCKED}knet.brb.com.br
- internetbanking.{BLOCKED}ol.com.br
- {BLOCKED}co.com.br
- {BLOCKED}isbank.com.br
- {BLOCKED}an.com.br
- {BLOCKED}s2.com.br
- {BLOCKED}ibra.com.br
- {BLOCKED}mebr.com.br
- {BLOCKED}me.com.br
- {BLOCKED}opazio.com.br
- {BLOCKED}s.com
- {BLOCKED}rect.com
- {BLOCKED}es.b.br
- {BLOCKED}nk.com.br
- {BLOCKED}b.com.br
- {BLOCKED}a.com.br
- {BLOCKED}direto.com.br
- {BLOCKED}es.com.br
- wwws.{BLOCKED}medobrasil.com.br
- {BLOCKED}ento.com.br
- contaonline.{BLOCKED}di.coop.br
- with specific URL criteria for the following domains:
- {BLOCKED}rasil.com.br
- {BLOCKED}b.com.br
- {BLOCKED}a.gov.br
- It drops the following files:
-
It checks if the sample is executed in Brazil by checking and requiring at least two of the following:
- System is in Brazilian Timezone
- Between UTC-5 to UTC-2
- System Locale contains either of the following strings:
- "pt-br"
- "pt_br"
- "portuguese"
- "brazil"
- System Region is set to either of the following:
- Two Letter ISO RegionName = "BR"
- Three Letter ISO RegionName = "BRA"
- Region name = "brazil" or "brasil"
- System Time is set to Brazilian Format:
- "dd/mm/yyyy (Standard Brazilian)
- "dd/mm/yy" (Short year Brazilian)
- "dd/mm" (Minimal Brazilian)
- System is in Brazilian Timezone
- Which adds the following process twice to inject next stage to:
- It steals the following information:
- Computer Name
- OS Name and Version
- MAC Address
- 64 or 32-bit Processes
- Malware version
- Number of Monitors
- It sends the stolen information to the following C2 server:
- https://{BLOCKED}utions.com
- It accepts the following commands:
- INFOCLIENT → acquires system information and send to C2 server
- RECONNECT → Disconnect from the C2 server
- KILLAPPLICATION → Terminate itself
- SCREENSHOT → Capture screenshot of application window (not saved to disk, compressed using GZip then sent to C2 server)
- KEYLOGGER → Logs Key Strokes and Mouse Clicks done by the user
- MOUSECLICK → Allows mouse click to pass through an overlay
- KEYBOARDONECHAR → Receives a single keyboard character input from C2 server
- KEYBOARDMULTIPLESCHARS → Receives multiple keyboard characters input from C2 server
- TOOGLEDESKTOP → Capture screenshot of whole screen
- TOOGLEINTERN → Maximizes an application's window and then take a screenshot that will be sent to the C2 server
- GENERATEWINDOWLOCKED → Creates a fullscreen overlay window that completely blocks user access to their computer while displaying fake system messages
- FREECLIENT → Closes a fake system messages overlay window
- LISTALLHANDLESOPENEDS → Sends a list of information containing all visible application windows
- KILLPROCESS → Terminate an application by process handle
- CLOSEHANDLE → Close an application window by handle
- MINIMIZEHANDLE → Minimize an application window by handle
- MAXIMIZEHANDLE → Maximize an application window by handle
- RESTOREHANDLE → Restore an application window from minimized or maximized by handle
- GENERATEWINDOWREQUEST → Creates a fake banking security dialog that overlays the victim's screen to harvest sensitive information
- CANCELSCREENREQUEST →Closes fake banking security dialog and shows full screen fake system messages
- CHANGESCALETO100 → opens Windows display settings (if windows 11), navigates to a specific option (based on description, to change scale to 100%)
- To do this, it adds the following process and simulates calculated key presses:
- ms-settings:display
- Then terminates it using:
- taskkill /f /im SystemSettings.exe
- To do this, it adds the following process and simulates calculated key presses:
- ADJUST_QUALITY → Change the quality of the screenshot
- ADJUST_SCALE → Change the scale of the screenshot
- It does the following:
- Blocks user input restricting keyboard and mouse interactions.
- Presents fake system update notifications or security diagnostic screens.
- Create overlay windows that appear on top of legitimate banking websites to steal user credentials and authentication tokens.
- Displays fake input forms for passwords, electronic signatures, or QR codes.
- Checks for WhatsApp-related browser data and will terminate if such data is not found.
- It is capable of sending messages and ZIP files via WhatsApp.
対応方法
手順 1
Windows 7、Windows 8、Windows 8.1、および Windows 10 のユーザは、コンピュータからマルウェアもしくはアドウェア等を完全に削除するために、ウイルス検索の実行前には必ず「システムの復元」を無効にしてください。
手順 2
このマルウェアもしくはアドウェア等の実行により、手順中に記載されたすべてのファイル、フォルダおよびレジストリキーや値がコンピュータにインストールされるとは限りません。インストールが不完全である場合の他、オペレーティングシステム(OS)の条件によりインストールがされない場合が考えられます。手順中に記載されたファイル/フォルダ/レジストリ情報が確認されない場合、該当の手順の操作は不要ですので、次の手順に進んでください。
手順 3
以下のファイルを検索し削除します。
- %User Startup%\HealthApp-{6 Random Characters from Generated GUID}.bat
手順 4
最新のバージョン(エンジン、パターンファイル)を導入したウイルス対策製品を用い、ウイルス検索を実行してください。「Trojan.BAT.SORVEPOTEL.SMYAFJB」と検出したファイルはすべて削除してください。 検出されたファイルが、弊社ウイルス対策製品により既に駆除、隔離またはファイル削除の処理が実行された場合、ウイルスの処理は完了しており、他の削除手順は特にありません。
ご利用はいかがでしたか? アンケートにご協力ください