Win64/Vools [Threat Name] go to Threat
Win64/Vools.B [Threat Variant Name]
| Category | trojan |
| Size | 405504 B |
| Detection created | Jan 16, 2018 |
| Detection database version | 16744 |
| Aliases | Trojan.Win32.Agent.qwfofe (Kaspersky) |
Short description
Win64/Vools.B is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine. It is able to spread via network exploiting vulnerabilities of the operating system.
Installation
The trojan does not create any copies of itself.
The trojan is usually a part of other malware with name Win32/Agent.ZKY, Win64/Agent.JM .
The trojan needs the following files to run:
- %windir%\System32\NrsDataCache.tlb
The archive contains malware files.
The trojan extracts the archive content into the following folder:
- %windir%\SysprepThemes\
- %windir%\SysprepThemes\Microsoft\
The archive contains the following files:
- crypt (3596689 B, ZIP)
- gpu (5427200 B, Win64/CoinMiner.CY)
- hash (640512 B, Win32/CoinMiner.DN)
- hash64 (573440 B, Win64/CoinMiner.CS)
- spoolsv (322560 B, Win32/Vools.A)
- spoolsv64 (415744 B, Win64/Vools.B)
- srv (501760 B, Win32/Vools.B)
- srv64 (630784 B, Win64/Vools.G)
- crypt\adfw-2.dll (14848 B, Win32/HackTool.Equation.X)
- crypt\adfw.dll (11264 B, Win32/HackTool.Equation.V)
- crypt\cnli-0.dll (106496 B, Win32/Exploit.Equation.G)
- crypt\cnli-1.dll (100864 B, Win32/Exploit.Equation.G)
- crypt\coli-0.dll (15360 B, Win32/HackTool.Equation.U)
- crypt\crli-0.dll (17408 B, Win32/HackTool.Equation.U)
- crypt\dmgd-1.dll (35328 B, Win32/HackTool.Equation.W)
- crypt\dmgd-4.dll (479744 B, Win32/HackTool.Equation.W)
- crypt\esco-0.dll (13824 B, Win32/HackTool.Equation.Y)
- crypt\etch-0.dll (158720 B, Win32/Exploit.Equation.Etch.A)
- crypt\etchCore-0.x64.dll (179200 B, Win64/Exploit.Equation.EtchCore.A)
- crypt\etchCore-0.x86.dll (142848 B, Win32/Exploit.Equation.EtchCore.A)
- crypt\eteb-2.dll (128512 B, Win32/Exploit.Equation.Eteb.A)
- crypt\etebCore-2.x64.dll (141824 B, Win64/Exploit.Equation.EtebCore.A)
- crypt\etebCore-2.x86.dll (112640 B, Win32/Exploit.Equation.EtebCore.A)
- crypt\Eternalblue-2.2.0.fb (503 B)
- crypt\Eternalchampion-2.0.0.fb (1118 B)
- crypt\exma-1.dll (10240 B, Win32/HackTool.Equation.U)
- crypt\exma.dll (6144 B, Win32/HackTool.Equation.Z)
- crypt\iconv.dll (22016 B, Win32/HackTool.Equation.AA)
- crypt\libcurl.dll (212480 B, Win32/Exploit.Equation.G)
- crypt\libeay32.dll (903168 B, Win32/HackTool.Equation.AB)
- crypt\libiconv-2.dll (970393 B)
- crypt\libxml2.dll (826368 B, Win32/HackTool.Equation.AI)
- crypt\out.dll (132096 B, Win64/Vools.C)
- crypt\pcla-0.dll (337408 B, Win32/HackTool.Equation.C)
- crypt\pcre-0.dll (146432 B, Win32/HackTool.Equation.AJ)
- crypt\pcrecpp-0.dll (32768 B, Win32/HackTool.Equation.AK)
- crypt\pcreposix-0.dll (9728 B, Win32/HackTool.Equation.AL)
- crypt\posh-0.dll (11264 B, Win32/HackTool.Equation.AN)
- crypt\posh.dll (6656 B, Win32/HackTool.Equation.AM)
- crypt\pytrch.py (38209 B)
- crypt\pytrch.pyc (49695 B)
- crypt\riar-2.dll (32768 B, Win32/HackTool.Equation.AG)
- crypt\riar.dll (16384 B, Win32/HackTool.Equation.AH)
- crypt\spoolsv.exe (45568 B, Win32/Equation.DoublePulsar.A)
- crypt\spoolsv.xml (4449 B)
- crypt\ssleay32.dll (184320 B, Win32/HackTool.Equation.AO)
- crypt\svchost.exe (129024 B, Win32/Exploit.Equation.EternalBlue.A)
- crypt\svchost.xml (2840 B)
- crypt\tibe-1.dll (233472 B, Win32/Exploit.Equation.F)
- crypt\tibe-2.dll (237568 B, Win32/Exploit.Equation.F)
- crypt\tibe.dll (270336 B, Win32/Exploit.Equation.B)
- crypt\trch-0.dll (73728 B, Win32/HackTool.Equation.AE)
- crypt\trch-1.dll (59904 B, Win32/HackTool.Equation.U)
- crypt\trch.dll (49664 B, Win32/HackTool.Equation.AF)
- crypt\trfo-0.dll (45056 B, Win32/HackTool.Equation.AC)
- crypt\trfo-2.dll (29696 B, Win32/HackTool.Equation.U)
- crypt\trfo.dll (38400 B, Win32/HackTool.Equation.AD)
- crypt\tucl-1.dll (9216 B, Win32/HackTool.Equation.U)
- crypt\tucl.dll (6144 B, Win32/HackTool.Equation.AP)
- crypt\ucl.dll (58368 B, Win32/HackTool.Equation.AQ)
- crypt\x64.dll (175104 B, Win64/Agent.JM)
- crypt\x86.dll (148992 B, Win32/Agent.ZKY)
- crypt\xdvl-0.dll (32256 B, Win32/HackTool.Equation.U)
- crypt\zibe.dll (262144 B, Win32/Exploit.Equation.G)
- crypt\zlib1.dll (60416 B)
- crypt\_pytrch.pyd (153600 B)
Spreading
Win64/Vools.B is a trojan that spreads via network exploiting vulnerabilities of the operating system.
The trojan generates various IP addresses.
It connects to remote machines to port 445 in attempt to exploit the Microsoft Server Message Block (SMB) vulnerability.
This vulnerability is described in Microsoft Security Bulletin MS17-010 .
If it succeeds, a copy of the trojan is retrieved from the attacking machine.
Information stealing
Win64/Vools.B is a trojan that steals sensitive information.
The following information is collected:
- operating system version
- CPU information
- amount of operating memory
- installed Microsoft Windows patches
- network adapter information
- list of running processes
- list of active TCP and UDP connections
- list of files/folders on a specific drive
- MAC address
- computer IP address
The trojan attempts to send gathered information to a remote machine.
The trojan contains a list of (2) URL addresses. The HTTP protocol is used.
Other information
The trojan executes the following commands:
- %windir%\system32\cmd.exe /c systeminfo & tasklist & netstat -nao & dir "C:\Program Files" & dir "C:\Program Files (x86)"
- %windir%\system32\cmd.exe /c %windir%\SysprepThemes\Microsoft\svchost.exe > stage1.txt
- %windir%\system32\cmd.exe /c %windir%\SysprepThemes\Microsoft\spoolsv.exe > stage2.txt
The trojan can terminate the following processes:
- taskmgr.exe