- 1c1e9e653f0ff4d84d2f69625668855ec290ca36 (autoit)
- 849784d60b2c578ca0c15aafa4076954b0449a44 (app.exe)
- 28956e86ad000d8ec470e69f3c13f93924193ed9 (scanner.exe)
- 48f977787a76752ce869b9eb590b1999f6151230 (cloud.exe)
A spying Trojan for devices running Microsoft Windows.
Written in the script language Autoit. It saves to the disk and launches the following files:
A script written in Python and transformed into an executable file using py2exe. In whole, it is identical to Trojan.PWS.Stealer.23700; however:
- It does not search for browser installation folders but extracts them from the files LOGINSDATALIST.txt and COOKIEDATALIST.txt that are generated by the module scanner.exe;
- It does not generate a ZIP archive with stolen files;
- It does not independently send data to pcloud.
A module written in Go. Scans drives searching for folder directories with password databases and cookies of browsers based on Chromium. Detected directories are written into files LOGINSDATALIST.txt and COOKIEDATALIST.txt respectively.
A module that generates a ZIP archive with stolen files and data. It obtains an IP address of an infected device by sending a request to the service http://checkip.amazonaws.com, then it loads an archive to the pcloud.com account registered by cybercriminals.