TSPY_TRICKBOT.THOIBEAI
Trojan-Banker.Win32.Trickster.ox (Kaspersky) ; Trojan:Win32/MereTam.A (Microsoft)
Windows
恶意软件类型:
Trojan Spy
有破坏性?:
没有
加密?:
是的
In the Wild:
是的
概要
它会从系统和/或用户窃取特定信息。
它连接到某个网站,发送和接收信息。
技术详细信息
安装
它植入下列文件:
- %Application Data%\AIMT\FAQ -> contains Victim's Unique ID
- %Application Data%\AIMT\info.dat
- %Application Data%\AIMT\Readme.md -> Group Tag
- %Application Data%\AIMT\Modules\pwgrab32 -> Encrypted module that is used to steal internet login credentials such as Internet Explorer, Mozilla Firefox, Google Chrome, Microsoft Edge, Filezilla, WinSCP and Microsoft Outlook
- %Application Data%\AIMT\Modules\tabDll32 -> Encrypted module that is used for its lateral movement in the infected machine's network
- %Application Data%\AIMT\Modules\shareDll32 -> Encrypted module that is used to propagate itself via SMB and LDAP queries. It is used together with wormDll32
- %Application Data%\AIMT\Modules\wormDll32 -> Encrypted module that is used to propagate itself via SMB and LDAP queries. It is used together with sharedll32dll
- %Application Data%\AIMT\Modules\importDll32 -> Encrypted module that steals credentials from Internet Applications
- %Application Data%\AIMT\Modules\injectDll32 -> Encrypted module that monitors banking-related websites/URLs
- %Application Data%\AIMT\Modules\mailsearcher32 -> Encrypted module that searches for email addresses in the infected machine
- %Application Data%\AIMT\Modules\networkDll32 -> Encrypted module that performs network scanning/mapping
- %Application Data%\AIMT\Modules\systeminfo32 -> Encrypted module that gathers system information of the infected machine
- %Application Data%\AIMT\Modules\injectDll32_configs\sinj -> Encrypted configuration that lists websites that will be redirected to a specific phishing URL
- %Application Data%\AIMT\Modules\injectDll32_configs\dinj -> Encrypted configuration that lists websites to be monitored
- %Application Data%\AIMT\Modules\injectDll32_configs\dpost ->Encrypted configuration that lists C&C servers that receives stolen data from monitored websites
- %Application Data%\AIMT\Modules\networkDll32_configs\dpost -> Encrypted configuration that lists C&C servers that will receive stolen network information
- %Application Data%\AIMT\Modules\mailsearcher32_configs\mailconf -> Encrypted configuration that lists C&C servers that will receive stolen email addresses
- %Application Data%\AIMT\Modules\pwgrab32_configs\dpost -> Encrypted configuration that lists C&C servers that will receive stolen credentials
- %Application Data%\AIMT\Modules\tabDll32_configs\dpost -> Encrypted configuration that lists C&C servers that will receive stolen credentials
(注意: %Application Data% 是当前用户的 Application Data 文件夹,通常位于 C:\Windows\Profiles\{user name}\Application Data (Windows 98 和 ME)、C:\WINNT\Profiles\{user name}\Application Data (Windows NT) 和 C:\Documents and Settings\{user name}\Local Settings\Application Data (Windows 2000、XP 和 Server 2003)。)
它在受感染的系统中植入下列自身副本:
- %Application Data%\AIMT\{slight variation of dropped file name}.exe
- %Windows%\mssvca.exe -> Dropped only when propagating through Administrative Shares
- %System%\mssvca.exe -> Dropped only when propagating through Administrative Shares
- %System Root%\mssvca.exe -> Dropped only when propagating through Administrative Shares
(注意: %Application Data% 是当前用户的 Application Data 文件夹,通常位于 C:\Windows\Profiles\{user name}\Application Data (Windows 98 和 ME)、C:\WINNT\Profiles\{user name}\Application Data (Windows NT) 和 C:\Documents and Settings\{user name}\Local Settings\Application Data (Windows 2000、XP 和 Server 2003)。. %Windows% 是 Windows 文件夹,通常位于 C:\WINDOWS 或 C:\WINNT。. %System% 是 Windows 的 system 文件夹,通常位于 C:\Windows\System (Windows 98 和 ME)、C:\WINNT\System32 (Windows NT 和 2000) 和 C:\WINDOWS\system32 (Windows XP 和 Server 2003)。
(注意: %System Root% 是根文件夹,通常位于 C:\。它也是操作系统所在的位置。)
自启动技术
它會新增並執行下列服務:
- the Service Path could either be any of the following:
- %System Root%\mssvca.exe
- %Windows%\mssvca.exe
- %System%\mssvca.exe
- Service Techno
- Service_Techno2
- Technics-service2
- Technoservices
- Advanced-Technic-Service
- ServiceTechno5
- New ServiceTech2
- Techserver3
(注意: %System% 是 Windows 的 system 文件夹,通常位于 C:\Windows\System (Windows 98 和 ME)、C:\WINNT\System32 (Windows NT 和 2000) 和 C:\WINDOWS\system32 (Windows XP 和 Server 2003)。)
信息窃取
它会窃取以下信息:
- OS information (Architecture, Caption, CSDVersion)
- CPU Information (Name)
- Memory Information
- User Accounts
- Installed Programs
- Installed Services
- IP Configuration
- Network Information (Configuration, Users, Domain Settings)
- Email addresses
- Credentials in the following Applications:
- Microsoft Outlook
- Filezilla
- WinSCP
- Internet Credentials (Internet Explorer, Microsoft Edge, Google Chrome, Mozilla Firefox):
- Usernames and Passwords
- Internet Cookies
- Browsing History
- Autofills
- HTTP Posts responses
其他详细信息
它连接到下列网站,发送和接收信息:
- {BLOCKED}.{BLOCKED}.{BLOCKED}.229:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.198:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.186:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.215:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.230:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.149:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.142:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.66:449
- {BLOCKED}.{BLOCKED}.{BLOKCED}.177:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.231:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.206:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.91:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.44:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.148:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.230:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.147:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.119:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.163:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.169:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.118:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.74:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.41:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.54:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.126:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.183:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.66:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.89:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.197:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.49:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.112:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.112:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.107:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.170:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.85:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.113:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.84:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.50:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.12:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.22:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.229:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.198:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.186:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.215:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.230:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.149:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.142:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.66:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.177:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.231:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.206:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.91:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.44:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.148:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.230:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.230:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.149:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.142:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.66:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.177:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.231:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.206:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.91:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.44:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.148:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.230:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.147:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.119:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.163:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.169:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.118:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.74:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.41:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.54:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.126:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.183:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.66:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.89:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.197:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.49:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.112:449
- {BLOCKED}.{BLOCKED}.{BLOCKED}.112:443
- {BLOCKED}.{BLOCKED}.{BLOCKED}.251/radiance.png
解决方案
Step 1
对于Windows ME和XP用户,在扫描前,请确认已禁用系统还原功能,才可全面扫描计算机。
Step 3
若要删除此恶意软件/灰色软件/间谍软件创建的随机服务键值,请执行下列步骤:
- 使用亚信安全产品扫描您的计算机,然后记录检测到的恶意软件/灰色软件/间谍软件的名称。
- 打开注册表编辑器。要执行此操作,请单击“开始”>“运行”,在提供的文本框中输入 regedit,然后按 Enter。
- 按 CTRL+F。
- 在“查找”对话框中,输入先前检测到的恶意软件的文件名。
(注意: 请确保仅选中数据复选框,然后单击“查找下一个”。) - 找到后,在右侧面板中,检查结果是否为下列值-数据对:
ImagePath = {Malware/Grayware/Spyware path and file name} - 如果是,则在左侧面板中,找到数据所在的服务。
- 在左侧面板中右键单击找到的服务,然后选择“删除”。
- 重复第 2 步到第 6 步,直至出现“注册表搜索完毕”对话框。
- 关闭注册表编辑器。
Step 5
搜索和删除这一文件夹
- %Application Data%\AIMT
Step 6
重启进入正常模式,使用亚信安全产品扫描计算机,检测TSPY_TRICKBOT.THOIBEAI文件 如果检测到的文件已被亚信安全产品清除、删除或隔离,则无需采取进一步措施。可以选择直接删除隔离的文件。请参阅知识库页面了解详细信息。
Step 7
使用亚信安全产品扫描计算机,并删除检测到的TSPY_TRICKBOT.THOIBEAI文件 如果检测到的文件已被亚信安全产品清除、删除或隔离,则无需采取进一步措施。可以选择直接删除隔离的文件。请参阅知识库页面了解详细信息。