Win64/Prikormka [Threat Name]

Detection created2016-03-09
Short description

Win64/Prikormka is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

The trojan may create the following files:

  • %windir%\­ntshrui.dll
  • %windir%\­hauthuid.dll
  • %windir%\­hlpuctf.dll
  • %windir%\­atiml.dll
  • %windir%\­iomus.dll
  • %windir%\­swma.dll
  • %windir%\­helpldr.dll
  • %windir%\­rbcon.ini
  • %userprofile%\­AppData\­Local\­CMS\­krman.ini
  • %userprofile%\­AppData\­Local\­VRT\­_wputproc.dll

The trojan may create the following folders:

  • %programfiles%\­IntelRestore\­
  • %userprofile%\­Resent\­roaming\­ocp8.1\­
  • %userprofile%\­AppData\­Local\­MMC\­
  • %userprofile%\­AppData\­Local\­PMG\­
  • %userprofile%\­AppData\­Local\­SKC\­
  • %userprofile%\­AppData\­Local\­CMS\­
  • %userprofile%\­AppData\­Local\­VRT\­
  • %userprofile%\­AppData\­Local\­ioctl\­
Information stealing

The trojan collects the following information:

  • operating system version
  • computer name
  • user name
  • screenshots
  • logged keystrokes
  • webcam video/voice
  • list of files/folders on a specific drive
  • file(s) content
  • geographical location of the device
  • computer IP address
  • MAC address
  • amount of operating memory
  • list of disk devices and their type
  • display resolution

The trojan collects information related to the following applications:

  • Google Chrome
  • Opera Browser
  • Yandex Browser
  • Comodo Dragon Internet Browser
  • Rambler Browser
  • Mozilla Firefox
  • Mozilla Thunderbird

The trojan attempts to send gathered information to a remote machine.


For further information follow the links below:


* Operation Groundbait: Espionage in Ukrainian war zones


* Operation Groundbait

Please enable Javascript to ensure correct displaying of this content and refresh this page.