Trojan.BAT.SORVEPOTEL.SMYAFJB

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• https://{BLOCKED}iveuser.com/api/itbi/startup/9a87c6c3017f48cfa4358a2ff50b2575
  • Receives a PowerShell script from the URL and loads a .NET DLL reflectively which does the following:
    • Checks if current process is executing as Admin
    • Terminates itself if found either of the following processes:
      • ollydebug
      • x64debug
      • windbg
      • immunity
      • ida
      • ghidra
      • wireshark
      • fiddler
      • burp
      • apimonitor
    • Shows the following if one of the mentioned processes is found:
      
• Next stage:
  • https://{BLOCKED}iveuser.com/api/v1/{Hashed GUID-based Endpoint Identifier A} → PowerShell script A
  • https://{BLOCKED}iveuser.com/api/v1/{Hashed GUID-based Endpoint Identifier B} → PowerShell script B
    • Which adds the following process twice to inject next stage to:
      • %System%\WindowsPowerShell\v1.0\powershell_ise.exe
    • The executable from injected shellcode in PowerShell A does the following:
      • It drops the following files:
        • %User Startup%\HealthApp-{6 Random Characters from Generated GUID}.bat
      • It connects to the following URL to send information:
        • https://{BLOCKED}iveuser.com/api/warnings
      • It identifies running processes windows if it has navegador exclusivo bradesco then returns banco.braedsco
        • If not, it acquires the current URL from the following browsers:
          • chrome
          • firefox
          • msedge
          • brave
          • iexplore
      • It monitors for the following URLs from the mentioned web browsers:
        • {BLOCKED}rasil.com.br
        • {BLOCKED}b.com.br
        • {BLOCKED}a.gov.br
        • gerenciador.{BLOCKED}a.gov.br
        • loginx.{BLOCKED}a.gov.br
        • banco.{BLOCKED}co
        • {BLOCKED}co.com.br
        • cidadetran.{BLOCKED}co
        • ne12.{BLOCKED}conetempresa.b.br
        • {BLOCKED}e.com
        • {BLOCKED}obitcoin.com.br
        • {BLOCKED}ntrade.com.br
        • electrum
        • {BLOCKED}t.com.br
        • {BLOCKED}hain.com
        • accounts.{BLOCKED}e.com
        • pf.{BLOCKED}dernet.com.br
        • pj.{BLOCKED}dernetibe.com.br
        • {BLOCKED}u.com.br
        • {BLOCKED}i.com.br
        • ibpj.{BLOCKED}i.com.br
        • ibpf.{BLOCKED}i.com.br
        • nel.{BLOCKED}b.gov.br
        • {BLOCKED}ercadopago.com.br
        • meu.{BLOCKED}al.com.br
        • empresas.{BLOCKED}al.com.br
        • ibpj.{BLOCKED}al.com.br
        • {BLOCKED}ul.com.br
        • internetbanking.{BLOCKED}a.b.br
        • ib.{BLOCKED}a.b.br
        • www2s.{BLOCKED}mazonia.com.br
        • ecode.{BLOCKED}al.com.br
        • {BLOCKED}tildobrasil.com.br
        • {BLOCKED}e.com.br
        • {BLOCKED}an.com.br
        • {BLOCKED}d.com.br
        • {BLOCKED}a.com.br
        • {BLOCKED}mpresas.com.br
        • ib.{BLOCKED}e.com.br
        • {BLOCKED}e.com.br
        • {BLOCKED}mg.com.br
        • {BLOCKED}knet.brb.com.br
        • internetbanking.{BLOCKED}ol.com.br
        • {BLOCKED}co.com.br
        • {BLOCKED}isbank.com.br
        • {BLOCKED}an.com.br
        • {BLOCKED}s2.com.br
        • {BLOCKED}ibra.com.br
        • {BLOCKED}mebr.com.br
        • {BLOCKED}me.com.br
        • {BLOCKED}opazio.com.br
        • {BLOCKED}s.com
        • {BLOCKED}rect.com
        • {BLOCKED}es.b.br
        • {BLOCKED}nk.com.br
        • {BLOCKED}b.com.br
        • {BLOCKED}a.com.br
        • {BLOCKED}direto.com.br
        • {BLOCKED}es.com.br
        • wwws.{BLOCKED}medobrasil.com.br
        • {BLOCKED}ento.com.br
        • contaonline.{BLOCKED}di.coop.br
        • with specific URL criteria for the following domains:
          • {BLOCKED}rasil.com.br
          • {BLOCKED}b.com.br
          • {BLOCKED}a.gov.br
      • It checks if the sample is executed in Brazil by checking and requiring at least two of the following:
        • System is in Brazilian Timezone
          • Between UTC-5 to UTC-2
        • System Locale contains either of the following strings:
          • "pt-br"
          • "pt_br"
          • "portuguese"
          • "brazil"
        • System Region is set to either of the following:
          • Two Letter ISO RegionName = "BR"
          • Three Letter ISO RegionName = "BRA"
          • Region name = "brazil" or "brasil"
        • System Time is set to Brazilian Format:
          • "dd/mm/yyyy (Standard Brazilian)
          • "dd/mm/yy" (Short year Brazilian)
          • "dd/mm" (Minimal Brazilian)
    • It steals the following information:
      • Computer Name
      • OS Name and Version
      • MAC Address
      • 64 or 32-bit Processes
      • Malware version
      • Number of Monitors
    • It sends the stolen information to the following C2 server:
      • https://{BLOCKED}utions.com
    • It accepts the following commands:
      • INFOCLIENT → acquires system information and send to C2 server
      • RECONNECT → Disconnect from the C2 server
      • KILLAPPLICATION → Terminate itself
      • SCREENSHOT → Capture screenshot of application window (not saved to disk, compressed using GZip then sent to C2 server)
      • KEYLOGGER → Logs Key Strokes and Mouse Clicks done by the user
      • MOUSECLICK → Allows mouse click to pass through an overlay
      • KEYBOARDONECHAR → Receives a single keyboard character input from C2 server
      • KEYBOARDMULTIPLESCHARS → Receives multiple keyboard characters input from C2 server
      • TOOGLEDESKTOP → Capture screenshot of whole screen
      • TOOGLEINTERN → Maximizes an application's window and then take a screenshot that will be sent to the C2 server
      • GENERATEWINDOWLOCKED → Creates a fullscreen overlay window that completely blocks user access to their computer while displaying fake system messages
      • FREECLIENT → Closes a fake system messages overlay window
      • LISTALLHANDLESOPENEDS → Sends a list of information containing all visible application windows
      • KILLPROCESS → Terminate an application by process handle
      • CLOSEHANDLE → Close an application window by handle
      • MINIMIZEHANDLE → Minimize an application window by handle
      • MAXIMIZEHANDLE → Maximize an application window by handle
      • RESTOREHANDLE → Restore an application window from minimized or maximized by handle
      • GENERATEWINDOWREQUEST → Creates a fake banking security dialog that overlays the victim's screen to harvest sensitive information
      • CANCELSCREENREQUEST →Closes fake banking security dialog and shows full screen fake system messages
      • CHANGESCALETO100 → opens Windows display settings (if windows 11), navigates to a specific option (based on description, to change scale to 100%)
        • To do this, it adds the following process and simulates calculated key presses:
          • ms-settings:display
        • Then terminates it using:
          • taskkill /f /im SystemSettings.exe
      • ADJUST_QUALITY → Change the quality of the screenshot
      • ADJUST_SCALE → Change the scale of the screenshot
    • It does the following:
      • Blocks user input restricting keyboard and mouse interactions.
      • Presents fake system update notifications or security diagnostic screens.
      • Create overlay windows that appear on top of legitimate banking websites to steal user credentials and authentication tokens.
      • Displays fake input forms for passwords, electronic signatures, or QR codes.
      • Checks for WhatsApp-related browser data and will terminate if such data is not found.
      • It is capable of sending messages and ZIP files via WhatsApp.