Technical Information
Malicious functions
Reads files which store third party applications passwords
- %HOMEPATH%\desktop\508softwareandos.doc
- %LOCALAPPDATA%\microsoft\edge\user data\default\login data
- %HOMEPATH%\desktop\file_p_00000000_1371597592.docx
Modifies file system
Creates the following files
- %TEMP%\microsoft_default_login_data
- %TEMP%\chromium_default_login_data
- %TEMP%\torch_default_login_data
- %TEMP%\elements browser_default_login_data
- %TEMP%\comodo_default_login_data
- %TEMP%\coccoc_default_login_data
- %TEMP%\epic privacy browser_default_login_data
- %TEMP%\google_default_login_data
- %TEMP%\coowoo_default_login_data
- %TEMP%\ucozmedia_default_login_data
- %TEMP%\settings_default_login_data
- %TEMP%\amigo_default_login_data
- %TEMP%\7star_default_login_data
- %TEMP%\liebao_default_login_data
- %TEMP%\orbitum_default_login_data
- %TEMP%\vivaldi_default_login_data
- %TEMP%\chromeplus_default_login_data
- %TEMP%\browser_default_login_data
- %TEMP%\opera stable_default_login_data
- %TEMP%\bravesoftware_default_login_data
- %TEMP%\chedot_default_login_data
- %TEMP%\iridium_default_login_data
- %TEMP%\centbrowser_default_login_data
- %TEMP%\sensfiles.zip
- %TEMP%\l9wowodzabr5afj9jlnkdhf6i3eppt\sensfiles.zip
- %TEMP%\l9wowodzabr5afj9jlnkdhf6i3eppt\user_info.txt
- %TEMP%\l9wowodzabr5afj9jlnkdhf6i3eppt\screen1.png
- %TEMP%\out.zip
Modifies the following files
Network activity
Connects to
- 'ip##o.is':443
- 'ap#.##legram.org':443
TCP
Other
- 'ip##o.is':443
- 'ap#.##legram.org':443
UDP
- DNS ASK ip##o.is
- DNS ASK ap#.##legram.org
Miscellaneous
Executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"
