TrojanSpy.Win64.RHADAMANTHYS.B

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

As of this writing, the said sites are inaccessible.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy drops the following files:

• %AppDataLocal%\Microsoft\{Random}.exe

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• "%Windows%\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}

It terminates itself if it finds the following processes in the affected system's memory:

• procexp.exe
• procexp64.exe
• tcpview.exe
• tcpview64.exe
• Procmon.exe
• Procmon64.exe
• vmmap.exe
• vmmap64.exe
• portmon.exe
• processlasso.exe
• Wireshark.exe
• Fiddler Everywhere.exe
• Fiddler.exe
• ida.exe
• ImmunityDebugger.exe
• WinDump.exe
• x64dbg.exe
• x32dbg.exe
• OllyDbg.exe
• ProcessHacker.exe
• idaq64.exe
• autoruns.exe
• dumpcap.exe
• de4dot.exe
• hookexplorer.exe
• ilspy.exe
• lordpe.exe
• dnspy.exe.
• petools.exe
• autorunsc.exe
• resourcehacker.exe
• filemon.exe
• regmon.exe
• windanr.exe
• ida64.exe

Autostart Technique

This Trojan Spy drops the following file(s) in the Startup Items folder to enable its automatic execution at every system startup:

• %User Startup%\Update.exe

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows 2003(32-bit), XP and 2000(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit), 10(64-bit).)

Other System Modifications

This Trojan Spy adds the following registry entries:

HKEY_CURRENT_USER\Software\SibCode
sn = 1696220900

Download Routine

This Trojan Spy connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}.{BLOCKED}.{BLOCKED}.8889/409cd9f3b98c7e6e96e/84x7k7op.1fspl
• http://{BLOCKED}.{BLOCKED}.{BLOCKED}.172/forum/images/159.exe

As of this writing, the said sites are inaccessible.

Information Theft

This Trojan Spy gathers the following data:

• Default Language
• Locale
• Gathers information from:
  • Browsers:
    • Coc CoC
    • Pale Moon
    • Sleipnir5
    • Opera
    • Chrome
    • Twinkstar
    • Firefox
    • Edge
    • K-Meleon
  • FTP Clients:
    • FileZilla
    • CoreFTP
    • WinSCP
  • VPN:
    • OpenVPN
  • Messaging Applications:
    • Telegram
  • Email Applications:
    • Thunderbird
    • Foxmail
    • Outlook
    • The BAT
  • Password Manager:
    • KeePass
  • Others:
    • Discord
    • Steam
    • Stickynotes
    • Simple Sticky Notes
  • Wallets:
    • Ronin
    • MetaMask
    • Vigvam
    • OKEx Wallet
    • Keplr
    • Avana Wallet
    • Ethereum
    • Electrum
    • Dogecoin
    • Litecoin
    • Monero
    • Qtum
    • Armory
    • Bytecoin
    • Binance
    • Electron
    • Solar Wallet
    • Zap
    • WalletWasabi
    • Zcash
• Browser Extensions:
  • Autofill data
  • Browser data (login information, cookies) relating to the following wallets:
    • MyTonWallet
    • Exodus Wallet
    • Trust Wallet
    • ZilPay Wallet
    • MetaMask
    • Bitcoin
    • Flint Wallet
    • X-Wallet
    • Stargazer Wallet
    • Theta Wallet
    • BitKeep
    • PaliWallet
    • TON Wallet
    • KardiaChain Wallet
    • Fractal Wallet
    • ArConnect
    • Swash
    • Nash
    • XDEFI Wallet
    • BitClip
    • DAppPlay
    • LeafWallet
    • OneKey
    • Byone
    • Cyano Wallet
    • TexBox - Tezos Wallet
    • Temple - Tezos Wallet
    • KHC
    • Nabox Wallet
    • ICONex
    • Polymesh Wallet
    • Auro Wallet
    • Keplr
    • Clover Wallet
    • NeoLine
    • Saturn Wallet
    • MEW CX
    • iWallet
    • Oasis Wallet
    • Goby
    • StarMask
    • Eternl
    • Wombat
    • Hycon Lite Client
    • Crypto.com
    • Keeper Wallet
    • Terra Station Wallet
    • SteemKeychain
    • Jaxx Liberty
    • ZilPay
    • Yoroi Wallet
    • Ronin Wallet
    • Rabet
    • Auvitas Wallet
    • Liquality Wallet
    • Nifty Wallet
    • Oxygen - Atomic Crypto Wallet
    • Crocobit Wallet
    • Finnie
    • Slope Wallet
    • XDCPay
    • Solflare Wallet
    • Sollet
    • GuildWallet
    • Guarda
    • BitApp Wallet
    • Math Wallet
    • OKEx Wallet
    • EQUAL Wallet
    • MOBOX WALLET
    • Phantom
    • Coinbase Wallet
    • TronLink
    • MetaMask
    • Binance Wallet
    • Coin98 Wallet
  • Saved credit cards
  • Login information
  • Browser cookies
  • Browsing history
  • Bookmarks
  • Download history

Other Details

This Trojan Spy adds the following registry keys:

HKEY_CURRENT_USER\Software\SibCode

It does the following:

• It disables the display of error message box.
• It checks for suspicious code hooks in the system.
• It manipulates exception handling.
• It checks if the following mutexes are present:
  • Global\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}
  • Session\1\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}
  • Session\2\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}
  • Session\3\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}
  • Session\4\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}
  • Session\5\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}
  • Session\6\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}
  • Session\7\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}
  • Session\8\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}
• It terminates itself if any of the following are satisfied:
  • If the file name of the executed binary matches any the following:
    • sample.exe
    • bot.exe
    • sandbox.exe
    • malware.exe
    • text.exe
    • klavme.exe
    • myapp.exe
    • testapp.exe
  • If the length of the file name is equal to the following:
    • 32 → length of MD5 hash
    • 40 → length of SHA1 hash
    • 64 → length of SHA256 hash
  • If the host name matches any of the following:
    • SANDBOX
    • 7SILVIA
    • HANSPETER-PC
    • JOHN-PC
    • MUELLER-PC
    • WIN7-TRAPS
    • FORTINET
    • TEQUILABOOMBOOM
  • If the user name matches any of the following:
    • CurrentUser
    • Sandbox
    • Emily
    • HAPUBWS
    • Hong Lee
    • IT-ADMIN
    • Johnson
    • Miller
    • milozs
    • Peter Wilson
    • timmy
    • user
    • sand box
    • malware
    • maltest
    • test user
    • virus
    • John Doe
  • If the user name is Wilber and computer name starts with SC or SW.
  • If the user name is admin and the computer name is SystemIT.
  • If the user name is admin and the computer name is KLONE_X64-PC.
  • If the user name is John and the following files are present:
    • C:\take_screenshot.exe
    • C:\loaddll.exe
  • If all of the following files are present:
    • C:\email.doc
    • C:\email.htm
    • C:\123\email.doc
    • C:\123\email.docx
  • If all of the following files are present:
    • C:\a\foobar.bmp
    • C:\a\foobar.doc
    • C:\a\foobar.gif
  • If the vendor ID matches any of the following:
    • KVMKVMKVM
    • Microsoft Hv
    • VMwareVMware
    • XenVMMXenVMM
    • prl hyperv
    • Parallels Hv
    • VBoxVBoxVBox
  • If known sandbox IDs are present in the following registry keys:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControLSet\Enum\IDE
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControLSet\Enum\SCSI
    where the sandbox IDs could be any of the following:
    • qemu
    • virtio
    • vmware
    • vbox
    • xen
    • VMW
    • Virtual
  • If it finds the following virtual devices in the affected system:
    • \.\VBoxMiniRdrDN
    • \.\VBoxGuest
    • \.\VBoxTrayIPC
    • \.\pipe\VBoxMiniRdDN
    • \.\pipe\VBoxTrayIPC
  • If the following strings are found on windows or classes:
    • VBoxTrayToolWndClass
    • VBoxTrayToolWnd
  • If the following strings are found on the system information:
    • VirtualBox
    • vbox
    • VBOX
    • VMware
    • VMWARE
    • QEMU
    • qemu
    • BOCHS
    • BXPC
  • If it finds the following virtual machine/sandbox network shares in the affected system:
    • VirtualBox Shared Folders
  • If it finds the following virtual machine/sandbox file artifacts in the affected system:
    • %System%\drivers\VBoxMouse.sys
    • %System%\drivers\VBoxGuest.sys
    • %System%\drivers\VBoxSF.sys
    • %System%\drivers\VBoxVideo.sys
    • %System%\vboxdisp.dll
    • %System%\vboxhook.dll
    • %System%\vboxmrxnp.dll
    • %System%\vboxogl.dll
    • %System%\vboxoglarrayspu.dll
    • %System%\vboxoglcrutil.dll
    • %System%\vboxoglerrorspu.dll
    • %System%\vboxoglfeedbackspu.dll
    • %System%\vboxoglpackspu.dll
    • %System%\vboxoglpassthroughspu.dll
    • %System%\vboxservice.exe
    • %System%\vboxtray.exe
    • %System%\VBoxControl.exe
    • %System%\drivers\balloon.sys
    • %System%\drivers\netkvm.sys
    • %System%\drivers\pvpanic.sys
    • %System%\drivers\viofs.sys
    • %System%\drivers\viogpudo.sys
    • %System%\drivers\vioinput.sys
    • %System%\drivers\viorng.sys
    • %System%\drivers\vioscsi.sys
    • %System%\drivers\vioser.sys
    • %System%\drivers\viostor.sys
  • if it finds the following virtual machine/sandbox directory artifacts in the affected system:
    • %Program Files%\Virtio-Win\
    • %Program Files%\qemu-ga
    • %Program Files%\SPICE Guest Tools
  • if it finds the following virtual machine/sandbox processes in the affected system's memory:
    • vboxservice.exe
    • vboxtray.exe
    • vmtoolsd.exe
    • vmwaretray.exe
    • vmwareuser.exe
    • VGAuthService.exe
    • vmacthlp.exe
    • qemu-ga.exe
    • vdagent.exe
    • vdservice.exe
  • If the following strings are found in the Win32_ComputerSystem manufacturer:
    • VMware
    • Xen
    • innotek GmbH
    • QEMU
  • If the following strings are found in the Win32_ComputerSystem model:
    • VirtualBox
    • HVM domU
    • VMware
  • If the following strings are found in the Win32_BIOS serial number:
    • VMWare
    • Parallels
    • XenVirtual
    • A M I
  • If the following strings are found in the Disk Device Driver hardware ID:
    • vbox
    • vmware
    • qemu
    • virtual
  • If the following strings are found in the Win32_PnPEntity device ID:
    • PCI\VEN_80EE&DEV_CAFE
  • If the following strings are found in the Win32_PnPEntity name:
    • 82801FB
    • 82441FX
    • 82371SB
    • OpenHCD
  • If the following strings are found in the Win32_PnPDevice Name and Caption:
    • VBOX
  • If the following strings are found in the Win32_PnPDevice PNPDeviceID:
    • VEN_VBOX
  • If the following strings are found in the Win32_Bus name:
    • ACPIBus_BUS_0
    • PCI_BUS_0
    • PNP_BUS_0
  • If the following strings are found in the Win32_BaseBoard product:
    • VirtualBox
  • If the following strings are found in the Win32_BaseBoard manufacturer:
    • Oracle Corporation
  • If the following strings are found in the Win32_NTEventlogFile FileName and Sources:
    • vboxvideo
    • VBoxVideoW8
    • VBoxWddm
• It checks if process is running in a 64 bit environment:
  • If yes,
    • It searches and manipulates the following module:
      • aswhook.dll
    • If not found:
      • It searches and manipulates files with the following strings in their file name:
        • 360SelfProtection
        • BdDci
        • rtp_process_monitor
        • klkbdflt

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It checks if the following virtual machine or sandbox related module(s) is loaded in the affected system:

• avghookx.dll
• avghooka.dll
• snxhk.dll
• sbiedll.dll
• dbghelp.dll
• api_log.dll
• dir_watch.dll
• pstorec.dll
• vmcheck.dll
• wpespy.dll
• cmdvrt64.dll
• cmdvrt32.dll

It checks if the following virtual machine- or sandbox-related registry keys are present in the affected system:

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\
DSDT\VBOX__

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\
FADT\VBOX__

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\
RSDT\VBOX__

HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\
VirtualBox Guest Additions

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VBoxGuest

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VBoxMouse

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VBoxService

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VBoxSF

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VBoxVideo

HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\
VMware Tools

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vioscsi

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\viostor

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VirtIO-FS Service

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VirtioSerial

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\BALLOON

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\BalloonService

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\netkvm

It checks if the following virtual machine- or sandbox-related registry entries are present in the affected system:

HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\
Scsi\Scsi Port 0\Scsi Bus 0\
Target Id 0\Logical Unit Id 0
Identifier = VBOX

HKEY_LOCAL_MACHINE\HARDWARE\Description\
System
SystemBiosVersion = VBOX

HKEY_LOCAL_MACHINE\HARDWARE\Description\
System
VideoBiosVersion = VIRTUALBOX

HKEY_LOCAL_MACHINE\HARDWARE\Description\
System
SystemBiosDate = 06/23/99

HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\
Scsi\Scsi Port 0\Scsi Bus 0\
Target Id 0\Logical Unit Id 0
Identifier = VMWARE

HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\
Scsi\Scsi Port 1\Scsi Bus 0\
Target Id 0\Logical Unit Id 0
Identifier = VMWARE

HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\
Scsi\Scsi Port 2\Scsi Bus 0\
Target Id 0\Logical Unit Id 0
Identifier = VMWARE

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SystemInformation
SystemProductName = VMWARE

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SystemInformation
SystemManufacturer = VMWARE

HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\
Scsi\Scsi Port 0\Scsi Bus 0\
Target Id 0\Logical Unit Id 0
Identifie = QEMU

HKEY_LOCAL_MACHINE\HARDWARE\Description\
System
SystemBiosVersion = QEMU