Home / malwarePDF  

TrojanSpy:Win32/Ranbyus.P


First posted on 07 May 2015.
Source: Microsoft

Aliases :

There are no other names known for TrojanSpy:Win32/Ranbyus.P.

Explanation :

Threat behavior

Installation
This threat can create files on your PC, including:

  • \calculator.lnk
  • \command prompt.lnk
  • \google chrome.lnk
  • \chcznepjrnzkic.exe


The malware uses code injection to make it harder to detect and remove. It can inject code into running processes.

It creates the following registry entry:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "\chcznepjrnzkic.exe"
With data: "qSbErxizyZhBQpSBSRmiulIDux"



Payload


Collects your sensitive information

This threat can collect your sensitive information without your consent. This can include:

  • The keys you press
  • The applications you open
  • Your web browsing history
  • Your credit card information
  • Your user names and passwords


It can also imitate a legitimate website to lure you into revealing your sensitive information.



Connects to a remote host

We have seen this threat connect to a remote host, including:
  • eagklqjctjaedi.com using port 80
  • lknxcqqyjbpckr.com using port 80
  • yfyrxxclvtslvd.net using port 80
  • vflnaixoawoibw.cc using port 80
  • rkdhdyyukmsukq.tw using port 80
  • walnlekomhptcc.pw using port 80
  • jtwabgkojurkvk.su using port 80
  • ummqrccghuvurn.in using port 80
  • ruqtlfflemojkx.me using port 80
  • lakbinfqxtibnn.me using port 80
Malware can connect to a remote host to do any of the following:
  • Check for an Internet connection
  • Download and run files (including updates or other malware)
  • Report a new infection to its author
  • Receive configuration or other data
  • Receive instructions from a malicious hacker
  • Search for your PC location
  • Upload information taken from your PC
  • Validate a digital certificate


Additional information

This malware description was published using automated analysis of file SHA1 0273f991246974931002c7596ae4f02ea5a5aa6d.

Symptoms

The following can indicate that you have this threat on your PC:

  • You see a file similar to:
    • \chcznepjrnzkic.exe
    • c:\users\christofsprenger\appdata\roaming\microsoft\windows\start menu\programs\startup\calculator.lnk
  • You see the following mutex:
    • \Sessions\1{C20CD437-BA6D-4ebb-B190-70B43DE3B0F3}
    • \Sessions\174EEDB5A000004F801D084A1AEVOsB_vefNWL
    • \Sessions\1c:!users!christofsprenger!appdata!roaming!microsoft!windows!ietldcache!
    • \Sessions\1InstalledMutex
    • \Sessions\1MainConfigMutex
    • \Sessions\1v&xEiR43#$
    • WindowsUpdateTracingMutex

Last update 07 May 2015

 

TOP

Malware :

Family: