Home / malwarePDF  

Trojan.Korbalank


First posted on 29 November 2014.
Source: Symantec

Aliases :

There are no other names known for Trojan.Korbalank.

Explanation :

When the Trojan is executed, it creates the following files:
%Temp%\A1.zip%Temp%\B1.zip%Temp%\C1.zip%Temp%\D1.zip%Temp%\Hhgrwh.dll%Temp%\Ueq.dll%Temp%\YJHyeH%Temp%\hid.dll%Temp%\iyiU%Temp%\ruwfdu8fss.dll%Temp%\yhsys\doit.rar%SystemDrive%\ws2tcpip.dll%SystemDrive%\wshtcpip.dll%SystemDrive%\drivers\[RANDOM CHARACTERS].sys
Note: The Trojan may try to delete itself to hide its presence in the system.

The Trojan creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\[RANDOM CHARACTERS]\"Type" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\[RANDOM CHARACTERS]\"Start" = "2"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\[RANDOM CHARACTERS]\"ImagePath" = "expand:\??\%SystemDrive%\drivers\[RANDOM CHARACTERS].sys"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\[RANDOM CHARACTERS]\"ErrorControl" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\[RANDOM CHARACTERS]\"DisplayName" = "[RANDOM CHARACTERS]"
The Trojan may delete the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"ctfmon.exe" = "%SystemDrive%\ctfmon.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\"NoExplorer" = "1"
The Trojan also creates the following events on the compromised computer:
BNKHSJDHOPSUR2AYASQWQADUYQWEDWJARXDW2AYJDUAKWDREHYQBRJASWQASUSQDDWXHNOPW
The Trojan gathers system information from the compromised computer.

The Trojan may look for and steal certificate information on the compromised computer, including the following files:
SignPri.keySignCert.der
The Trojan connects to the following remote locations:
cecs.kyirpj.com66.79.183.146new.ouxwub.comnew.vlihtg.com
The Trojan then injects itself into browsers in an attempt to steal banking information when visiting the following websites:
banking.nonghyup.comwooribank.comkeb.co.kr

Last update 29 November 2014

 

TOP

Malware :