![]() |
![]() |
- %TEMP%\chrome.exe
- HKLM\software\microsoft\windows\currentversion\run[8ce73491bf190a3fd7028c92bd3331b1] "%TEMP%\chrome.exe"
- HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list [%TEMP%\chrome.exe]
Figure 1: DNS query to hackernople.no-ip.biz

It subsequently then starts to send information such as the current date, the victim's computer name, user name, operating system and IP to a remote server:
Figure 2: Trojan sending personal information to a remote C&C server

We have also noticed the Trojan sending desktop screenshots to a remote server:
Figure 3: Trojan sending screenshots in a JPG format to a remote C&C server

This Trojan is capable of deleting files from a victim's machine. During our analysis, it deleted security tools such as processxp and tcpview.
Figure 4: Trojan sending a confirmation of removal of processes such as procexp.exe and tpcview.exe

It is also capable of downloading additional malicious components. During our analysis, it downloaded a password recovery tool called "WebBrowserPassView" on to the victim's machine and installed it. This tool can be used to reveal passwords stored in the victim's internet browsers.
Figure 5: Packets showing the infected machine receiving an executable

Figure 6: Receiving command to execute and install WebBrowserPassView

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:
- GAV: Barys.RAT (Trojan)
Source : Dell SonicWALL Security Center
Have a good time.
(Be knowledgeable, pass it on then)
Post a Comment