TrojanSpy.Win32.XTRAT.A

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It connects to a website to send and receive information.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy creates the following folders:

• %Application Data%\Ypertiesvacd\Default\klogs\ → for storing keylogger logs
• %Application Data%\Ypertiesvacd\Default\slogs\ → for storing screenshot logs
• %Application Data%\Ypertiesvacd\Default\plugs\ → for storing browser plugin/extension data
• %Application Data%\Ypertiesvacd\Default\usbfiles\ → for storing stolen USB files
• %Application Data%\Ypertiesvacd\Default\MnemonicWord\ → for storing cryptocurrency seed phrases

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• F06CDD06E60F272F36ACF32FC64AE31250F53E3125D16CC826

Autostart Technique

This Trojan Spy adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
YpertiesvacdYpertiesvacd = {malware path}

Propagation

This Trojan Spy does not have any propagation routine.

Backdoor Routine

This Trojan Spy connects to the following websites to send and receive information:

• 202.{BLOCKED}:2869 ({BLOCKED}e.com)
• http://{BLOCKED}u.com/comments/add

Rootkit Capabilities

This Trojan Spy does not have rootkit capabilities.

Process Termination

This Trojan Spy terminates the following processes if found running in the affected system's memory:

• 360sd.exe
• 360se.exe
• 360tray.exe
• a2guard.exe
• adam.exe
• ad-watch.exe
• ananwidget.exe
• arcatasksservice.exe
• ashdisp.exe
• ast.exe
• avcenter.exe
• avg.exe
• avgauard.exe
• avgwdsvc.exe
• avk.exe
• avp.exe
• avwatchservice.exe
• baidusdsvc.exe
• beikesan.exe
• bkavservice.exe
• ccapp.exe
• ccsetmgr.exe
• ccsvchst.exe
• cksoftshiedantivirus4.exe
• cleaner8.exe
• cmctrayicon.exe
• coranticontrolcenter32.exe
• cpf.exe
• d_manage.exe
• egui.exe
• fortitray.exe
• f-prot.exe
• fsavgui.exe
• f-secure.exe
• fyfirewall.exe
• gg.exe
• hipstray.exe
• hwspanel.exe
• iptray.exe
• k7tsecurity.exe
• knsdtray.exe
• kpfwtray.exe
• ksafe.exe
• kswebshield.exe
• kvmonxp.exe
• kxetray.exe
• lenovotray.exe
• mcshield.exe
• mongoosagui.exe
• mpmon.exe
• msmpeng.exe
• mssecess.exe
• nspupsvc.exe
• outpost.exe
• parmor.exe
• patray.exe
• pfw.exe
• psafesystray.exe
• qqpcrtp.exe
• quhlpsvc.exe
• ravmond.exe
• remupd.exe
• rfwmain.exe
• rtvscan.exe
• safedog.exe
• safedogtray.exe
• savprogress.exe
• sbamsvc.exe
• servudaemon.exe
• spidernt.exe
• spywareterminatorshield.exe
• tmbmsrv.exe
• trojanhunter.exe
• unthreat.exe
• v3svc.exe
• vba32lder.exe
• vsmon.exe
• vsserv.exe
• yunsuo_agent_daemon.exe

Information Theft

This Trojan Spy gathers the following data:

• System Information:
  • Computer Name
  • User Name
  • OS Version
  • System Info
  • Memory Status
  • Disk Space
  • Window Titles
  • CPU Info
  • Hardware IDs
• Browser Credentials:
  
  • Google Chrome
  • Microsoft Edge
  • Brave Browser
  • 360 Secure Browser (360se6)
  • Sogou Explorer
  • Tencent QQBrowser
  • GPT Browser (SPChrome)
  • Internet Explorer
• If the following cryptocurrency wallet and 2FA browser extensions exist in the affected system:
  • MetaMask
  • Phantom
  • Binance Chain Wallet
  • Trust Wallet
  • Coinbase Wallet
  • Ronin Wallet
  • Keplr Wallet
  • Rabby Wallet
  • Math Wallet
  • Coin98 Wallet
  • XDEFI Wallet
  • Maiar DeFi Wallet
  • TON Wallet
  • Leap Cosmos Wallet
  • Oasis Wallet
  • OKX Web3 Wallet
  • Sui Wallet
  • Temple Wallet
  • Petra Wallet
  • Martian Wallet
  • Fewcha Move Wallet
  • Pontem Wallet
  • Typhon Wallet
  • Wombat Gaming Wallet
  • Keeper Wallet
  • Exodus Web3 Wallet
  • BitKeep Wallet
  • UniSat Wallet
  • Sentinel X Wallet
  • Carbon Wallet
  • ZEON Wallet
  • Avana Wallet
  • Nitrogen Wallet
  • Meteor Wallet
  • TronLink
  • Flint Wallet
  • Solflare Wallet
  • Sender Wallet
  • KardiaChain Wallet
  • Clover Wallet
  • Terra Station Wallet
  • Nabox Wallet
  • MWC Wallet
  • Stash Wallet
  • JustLiquidity Wallet
  • Crypto.com DeFi Wallet
  • Terra Station Classic
  • ONTO Wallet
  • Math Wallet Chrome
  • Authenticator
  • Math Wallet Firefox
  • Crocobit Wallet
  • Mobox Wallet
  • Neon Wallet
  • Ambire Wallet
  • XVERSE Wallet
  • SafeMoon Wallet
  • Ternoa Wallet
  • Hashpack Wallet
  • LOBSTR Wallet
  • XUMM Wallet
  • Swash Wallet
  • Elastos Essentials Wallet
  • Saifu Wallet
• Messaging Applications:
  • Telegram
  • WeChat
  • ICQ
• Mnemonic/seed phrase → cryptocurrency seed phrases

Other Details

This Trojan Spy adds the following registry keys:

HKEY_CURRENT_USER\Software\GFE70424A125TH
ConnectIp = {C2 Server}

HKEY_CURRENT_USER\Software\GFE70424A125TH
OffKeyLog =

HKEY_CURRENT_USER\Software\GFE70424A125TH
InjectProcess =

HKEY_CURRENT_USER\Software\GFE70424A125TH
ReplaceClipboard =

HKEY_CURRENT_USER\Software\GFE70424A125TH
CopyUSBDeviceFiles =

HKEY_CURRENT_USER\Software\GFE70424A125TH
MonitoringAPI =

HKEY_CURRENT_USER\Software\GFE70424A125TH
ShareExclusive =

HKEY_CURRENT_USER\Software\GFE70424A125TH
LoginName =

HKEY_CURRENT_USER\Software\GFE70424A125TH
LoginGroup =

HKEY_CURRENT_USER\Software\GFE70424A125TH
E31FFE70423 =

It does the following:

• It has the following backdoor capabilities:
  • Keylogging
  • Clipboard Hijacking
  • Network Packet Sniffing
  • Video/Webcam Capture
  • USB File Monitoring
  • Screenshot Capture
  • Process injection (explorer.exe, svchost.exe, notepad.exe)
  • RDP enablement with firewall bypass
  • PowerShell/CMD/WMI command execution

It does not exploit any vulnerability.