It was done for someone to see how it works and I share it with you.
bot.exe
- OEP: 0040DCA0
- COMPILER: Borland Delphi 6.0 – 7.0
- MD5: 8a849d20c0a954f45566cec53acc9263
- SHA-1: 764c29fd18c3f3c4d9ba3fe394655f2ed2ec0c01
Injects into remote processes
Injected into “explorer.exe”
Drops files:
giep.exe
MD5: 769919e56bd4e9e1e906559c1c36bdf6
SHA-1: 39ed72d34e02e1674742cb47bbd6ebdad13f7931
Reg: HKU\S-1-5-21-2442644137-1929233181-142757687-1000\Software\Microsoft\Windows\CurrentVersion\Run\{74A201A8-2DEE-69F0-F124-27DF3D9773DA}: “C:\Users\Insider\AppData\Roaming\Qioho\giep.exe”
https://www.virustotal.com/#/file/5069bc991ff37817bb05e6bb453c9c44d22ef2719bb0d4f72a3ca30c544f040c/detection
- Same atributes like bot.exe
Some of the processes made by the bot.exe action:
- CreateFile
- RegOpenKey
- RegisterClass
- CoCreate
- CreateThread
- RegCreateKey
- RegSetValue
- ProcessStarted
Network traffic:
In the same way it is using the /POST request for sending stealed data, when the victim visits some bank account, paypal…etc.
Botnet host directory and login page:
H**p://xxx.xxx/adminpanel/admin.php
The remove is easy. You just have to follow the path’s to find the droped executables and delete the created registers.
Niciun comentariu:
Trimiteți un comentariu