Analysis by: Neljorn Nathaniel Aguas
 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 675 bytes
File Type: BAT
Memory Resident: No
Initial Samples Received Date: 02 Oct 2025

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

  • https://{BLOCKED}iveuser.com/api/itbi/startup/9a87c6c3017f48cfa4358a2ff50b2575
    • Receives a PowerShell script from the URL and loads a .NET DLL reflectively which does the following:
      • Checks if current process is executing as Admin
      • Terminates itself if found either of the following processes:
        • ollydebug
        • x64debug
        • windbg
        • immunity
        • ida
        • ghidra
        • wireshark
        • fiddler
        • burp
        • apimonitor
      • Shows the following if one of the mentioned processes is found:
  • Next stage:
    • https://{BLOCKED}iveuser.com/api/v1/{Hashed GUID-based Endpoint Identifier A} PowerShell script A
    • https://{BLOCKED}iveuser.com/api/v1/{Hashed GUID-based Endpoint Identifier B} PowerShell script B
      • Which adds the following process twice to inject next stage to:
        • %System%\WindowsPowerShell\v1.0\powershell_ise.exe
      • The executable from injected shellcode in PowerShell A does the following:
        • It drops the following files:
          • %User Startup%\HealthApp-{6 Random Characters from Generated GUID}.bat
        • It connects to the following URL to send information:
          • https://{BLOCKED}iveuser.com/api/warnings
        • It identifies running processes windows if it has navegador exclusivo bradesco then returns banco.braedsco
          • If not, it acquires the current URL from the following browsers:
            • chrome
            • firefox
            • msedge
            • brave
            • iexplore
        • It monitors for the following URLs from the mentioned web browsers:
          • {BLOCKED}rasil.com.br
          • {BLOCKED}b.com.br
          • {BLOCKED}a.gov.br
          • gerenciador.{BLOCKED}a.gov.br
          • loginx.{BLOCKED}a.gov.br
          • banco.{BLOCKED}co
          • {BLOCKED}co.com.br
          • cidadetran.{BLOCKED}co
          • ne12.{BLOCKED}conetempresa.b.br
          • {BLOCKED}e.com
          • {BLOCKED}obitcoin.com.br
          • {BLOCKED}ntrade.com.br
          • electrum
          • {BLOCKED}t.com.br
          • {BLOCKED}hain.com
          • accounts.{BLOCKED}e.com
          • pf.{BLOCKED}dernet.com.br
          • pj.{BLOCKED}dernetibe.com.br
          • {BLOCKED}u.com.br
          • {BLOCKED}i.com.br
          • ibpj.{BLOCKED}i.com.br
          • ibpf.{BLOCKED}i.com.br
          • nel.{BLOCKED}b.gov.br
          • {BLOCKED}ercadopago.com.br
          • meu.{BLOCKED}al.com.br
          • empresas.{BLOCKED}al.com.br
          • ibpj.{BLOCKED}al.com.br
          • {BLOCKED}ul.com.br
          • internetbanking.{BLOCKED}a.b.br
          • ib.{BLOCKED}a.b.br
          • www2s.{BLOCKED}mazonia.com.br
          • ecode.{BLOCKED}al.com.br
          • {BLOCKED}tildobrasil.com.br
          • {BLOCKED}e.com.br
          • {BLOCKED}an.com.br
          • {BLOCKED}d.com.br
          • {BLOCKED}a.com.br
          • {BLOCKED}mpresas.com.br
          • ib.{BLOCKED}e.com.br
          • {BLOCKED}e.com.br
          • {BLOCKED}mg.com.br
          • {BLOCKED}knet.brb.com.br
          • internetbanking.{BLOCKED}ol.com.br
          • {BLOCKED}co.com.br
          • {BLOCKED}isbank.com.br
          • {BLOCKED}an.com.br
          • {BLOCKED}s2.com.br
          • {BLOCKED}ibra.com.br
          • {BLOCKED}mebr.com.br
          • {BLOCKED}me.com.br
          • {BLOCKED}opazio.com.br
          • {BLOCKED}s.com
          • {BLOCKED}rect.com
          • {BLOCKED}es.b.br
          • {BLOCKED}nk.com.br
          • {BLOCKED}b.com.br
          • {BLOCKED}a.com.br
          • {BLOCKED}direto.com.br
          • {BLOCKED}es.com.br
          • wwws.{BLOCKED}medobrasil.com.br
          • {BLOCKED}ento.com.br
          • contaonline.{BLOCKED}di.coop.br
            • with specific URL criteria for the following domains:
              • {BLOCKED}rasil.com.br
              • {BLOCKED}b.com.br
              • {BLOCKED}a.gov.br
        • It checks if the sample is executed in Brazil by checking and requiring at least two of the following:
          • System is in Brazilian Timezone
            • Between UTC-5 to UTC-2
          • System Locale contains either of the following strings:
            • "pt-br"
            • "pt_br"
            • "portuguese"
            • "brazil"
          • System Region is set to either of the following:
            • Two Letter ISO RegionName = "BR"
            • Three Letter ISO RegionName = "BRA"
            • Region name = "brazil" or "brasil"
          • System Time is set to Brazilian Format:
            • "dd/mm/yyyy (Standard Brazilian)
            • "dd/mm/yy" (Short year Brazilian)
            • "dd/mm" (Minimal Brazilian)
      • It steals the following information:
        • Computer Name
        • OS Name and Version
        • MAC Address
        • 64 or 32-bit Processes
        • Malware version
        • Number of Monitors
      • It sends the stolen information to the following C2 server:
        • https://{BLOCKED}utions.com
      • It accepts the following commands:
        • INFOCLIENT → acquires system information and send to C2 server
        • RECONNECT → Disconnect from the C2 server
        • KILLAPPLICATION → Terminate itself
        • SCREENSHOT → Capture screenshot of application window (not saved to disk, compressed using GZip then sent to C2 server)
        • KEYLOGGER → Logs Key Strokes and Mouse Clicks done by the user
        • MOUSECLICK → Allows mouse click to pass through an overlay
        • KEYBOARDONECHAR → Receives a single keyboard character input from C2 server
        • KEYBOARDMULTIPLESCHARS → Receives multiple keyboard characters input from C2 server
        • TOOGLEDESKTOP → Capture screenshot of whole screen
        • TOOGLEINTERN → Maximizes an application's window and then take a screenshot that will be sent to the C2 server
        • GENERATEWINDOWLOCKED → Creates a fullscreen overlay window that completely blocks user access to their computer while displaying fake system messages
        • FREECLIENT → Closes a fake system messages overlay window
        • LISTALLHANDLESOPENEDS → Sends a list of information containing all visible application windows
        • KILLPROCESS → Terminate an application by process handle
        • CLOSEHANDLE → Close an application window by handle
        • MINIMIZEHANDLE → Minimize an application window by handle
        • MAXIMIZEHANDLE → Maximize an application window by handle
        • RESTOREHANDLE → Restore an application window from minimized or maximized by handle
        • GENERATEWINDOWREQUEST → Creates a fake banking security dialog that overlays the victim's screen to harvest sensitive information
        • CANCELSCREENREQUEST →Closes fake banking security dialog and shows full screen fake system messages
        • CHANGESCALETO100 → opens Windows display settings (if windows 11), navigates to a specific option (based on description, to change scale to 100%)
          • To do this, it adds the following process and simulates calculated key presses:
            • ms-settings:display
          • Then terminates it using:
            • taskkill /f /im SystemSettings.exe
        • ADJUST_QUALITY → Change the quality of the screenshot
        • ADJUST_SCALE → Change the scale of the screenshot
      • It does the following:
        • Blocks user input restricting keyboard and mouse interactions.
        • Presents fake system update notifications or security diagnostic screens.
        • Create overlay windows that appear on top of legitimate banking websites to steal user credentials and authentication tokens.
        • Displays fake input forms for passwords, electronic signatures, or QR codes.
        • Checks for WhatsApp-related browser data and will terminate if such data is not found.
        • It is capable of sending messages and ZIP files via WhatsApp.

  SOLUTION

Minimum Scan Engine: 9.800
FIRST VSAPI PATTERN FILE: 20.496.05
FIRST VSAPI PATTERN DATE: 02 Oct 2025
VSAPI OPR PATTERN File: 20.497.00
VSAPI OPR PATTERN Date: 03 Oct 2025

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Search and delete this file

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %User Startup%\HealthApp-{6 Random Characters from Generated GUID}.bat 

Step 4

Scan your computer with your Trend Micro product to delete files detected as Trojan.BAT.SORVEPOTEL.SMYAFJB. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.