Security home

 

Home / malwarePDF  

Trojan:Win32/Totbrick


First posted on 14 October 2017.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Totbrick.

Explanation :

Installation

This is a family of malware that steals online banking credentials and system information. This trojan is usually distributed through spam or exploits.

We have observed this malware to be downloaded by other malware downloader family such as TrojanDownloader:JS/Nemucod which is distributed through spam mail.

This threat copies itself to the following location:

%APPDATA% \roaming\winapp\.exe for example, c:\Users\Adminuser\AppData\Roaming\winapp\546A9064.exe



It also drops the following component files:

  • %APPDATA% \roaming\winapp\client_id for example, c:\Users\Adminuser\AppData\Roaming\winapp\client_id
  • %APPDATA% \roaming\winapp\group_tag for example, c:\Users\Adminuser\AppData\Roaming\winapp\group_tag


It then creates an autostart mechanism using scheduled task:
  • %SystemRoot% \system32\Tasks\services update for example, c:\Windows\System32\Tasks\services update


This task has the following triggers:
  • At log on
  • Daily (at the time of infection)
With the following action:
  • Start a program (pointed to the malware file)
It then spawns a new svchost.exe (clean) and injects its malicious code.

Payload

Steals online banking credentials

This threat uses "Man In The Browser" technique to steal online banking credentials.

Whenever an infected user goes to one of the monitored URLs, it will intercept the data being sent and forward it to its own server.




It monitors the following URLs and redirects traffic to the domain 37.230.113.232:

*.ebanking-services.com/*.asp*
*.ebanking-services.com/*/*favicon.ico*
*caixaontinyent.es/BEWeb/*
*caixaontinyent.es/favicon.ico?*
*cajamar.es/*/*
*cajamar.es/favicon.ico*
*banquedelareunion.fr*
*bankoaonline.com/*/*
*bankoaonline.com/favicon.ico?*
*/outil/UAUT*
*/wcmfd/wcmpw/CustomerLogin*
*/wcmfd/wcmpw/favicon.ico*
*netteller.com/login2008/Authentication*
https://*.netteller.com/favicon.ico?*
*activobank.com/cs/*
*activobank.com/activobank/LoginDNI.doLogin.bs*
*activobank.com/activobank/LoginDNI.init.bs*
*activobank.com/favicon.ico?*
https://entreprises.secure.societegenerale.fr/
https://entreprises.secure.societegenerale.fr/*.html
https://entreprises.secure.societegenerale.fr/favicon.ico?*
*ubibanca.com*
*secure.myvirtualbranch.com*
*.com/fi*/bb/*
*.com/fi*/pb/*
*.com/fi*/retail/*
*.com/fnfg/retail/*
*.com/fi*/bb/favicon.ico?*
*.com/fi*/pb/favicon.ico?*
*.com/fi*/retail/favicon.ico?*
*.com/fnfg/retail/favicon.ico?*
*bancsabadell.com/cs/*
*bancsabadell.com/txbs/*
*bancsabadell.com/favicon.ico*
*bancosabadellfr.com/cs/*
*bancosabadellfr.com/txbs/*
*bancosabadellfr.com/favicon.ico*
*/isum/Main?ISUM_SCR=login&loginType=accesoSeguro&ISUM_Portal*
*ediweb.credit-agricole.fr/*/login*.jsp*
*ediweb.credit-agricole.fr/favicon.ico?*
*.ediweb.ca-*.fr/*/login*.jsp*
*.ediweb.ca-*.fr/favicon.ico?*
*/onlineserv/CM*
*bancopopular.es/*/*
*bancopopular.es/favicon.ico?*
*bancopopular-e.com/eai_logon_ecom/GbpInternetLogonEAI/*
*bancopopular-e.com/favicon.ico?*
*orp/BANKAWAY?Action.CorpUser.Init*
*/dciweb.htm*?p0=idesai.tht&t=p*
*.com/SPF/Login/Auth.aspx*
*.com/SPF/Login/favicon.ico?*
https://www.caja-ingenieros.es/*/*
https://www.caja-ingenieros.es/favicon.ico?*
https://be.caja-ingenieros.es/BEWeb/3025/6025/*
https://www.caixa-enginyers.com/*/*
https://www.caixa-enginyers.com/favicon.ico?*
*unicaja*es*/PortalServle*
*unicaja*es*/favicon.ico*
*pib*.secure-banking.com/*
*allianzbanque.fr*
*bbvanet.com.co*
*.com/pub/html/login.html*
*.com/pub/html/favicon.ico*
*/EBC_EBC1961/*
*bancofarnet.bancofar.es/*/*
*bancofarnet.bancofar.es/favicon.ico?*
*corporatebankingweb/core/*
*engine/login/businesslogin*
*.blilk.com/Core/Authentication/MFA*
*caixabank.es*html*
*lacaixa.es/GPeticiones*
*caixabank.es/favicon.ico*
*lacaixa.es/favicon.ico*
*.onlinebank.com/*/AOP/*.aspx*
*.onlinebank.com/*/AOP/favicon.ico?*
*partnersfcu.org/OnlineBanking/*aspx*
*partnersfcu.org/OnlineBanking/AOP/favicon.ico?*
https://www.bred.fr/*html
https://www.bred.fr/*/*
https://www.bred.fr/favicon.ico*
*palatine.fr*jsp*
*palatine.fr*favicon.ico*
*bbvacontinental.pe*
*entreprises.natixis.com/jcms*
*entreprises.natixis.com/favicon.ico*
*finconsum.es*
*caixabankconsumer.com*
*online.bank-abc.com/*/log*
https://www.cic.fr/*/authentification.html*
https://www.cic.fr/favicon.ico?*
*bankinter.com/*/*
*bankinter.com/favicon.ico*
*portal.citidirect.com/*/forms/*
*/Authentication/Login*
*/Accounts/AccountOverview.asp*
*be.ceca.es*
*cetelem.es/*/*
*cetelem.es/favicon.ico?*
*cm-cic-bail.com*
*labanquepostale*.html*
*labanquepostale*favicon.ico*
*labanquepostale.fr/wsost/OstBrokerWeb/loginform*
*/BEWeb/0130/0130/inicio_identificacion.action*
*/BEWeb/0130/0130/favicon.ico*
*liberbankbancaprivada.es/*/*
*liberbankbancaprivada.es/favicon.ico
*activa24.ccm.es/*/*
*activa24.ccm.es/favicon.ico?*
*bancaadistancia*es/*/*
*bancaadistancia*es/favicon.ico?*
https://www.bfsonline.es/BEWeb/*
https://www.bfsonline.es/favicon.ico*
*tarneaud.fr*
*credit-du-nord.fr*
*smc.fr*
*banque-*.fr*
*bbv.com.ar*
*laboralkutxa.com/*/*
*laboralkutxa.com/favicon.ico?*
https://www.uno-e.com/local_bdnt_unoe/*html*
https://www.uno-e.com/local_bdnt_unoe/favicon.ico?*
https://www.creditmutuel.fr/*/*
https://www.creditmutuel.fr/favicon.ico*
*cey-ebanking.com/CLKCCM/*
https://www.openbank.es*
*secure.fundsxpress.com/piles/fxweb.pile/*
https://*secure.fundsxpress.com/*/fx?*
https://*secure.fundsxpress.com/*/favicon.ico?*
https://*secure.fundsxpress.com/start/*
https://*secure.fundsxpress.com/favicon.ico?
*bancomer.com*
*bmn.es/*/*
*bmn.es/favicon.ico?*
*/bbw/cmserver/welcome*
*creatis.fr*
*bbva.*
*cajasur.es/*/*
*kutxabank.es/*/*
*cajasur.es/favicon.ico*
*kutxabank.es/favicon.ico*
https://www.inbiz.intesasanpaolo.com/scriptFvcv0/vetrinaFVC/*
https://www.inbiz.intesasanpaolo.com/portalEiam0/sma*
https://www.inbiz.intesasanpaolo.com/portalFvcv0/vetrinaFVC/img/layout/footerbg.gif?*
*-g*-enligne.*.fr/stb/entreeBam*
*-g*-enligne.*.fr/stb/favicon.ico?*
*/BEWeb/9138/9138/inicio_identificacion.action*
*/BEWeb/9138/9138/favicon.ico*
*entreprises*lcl.fr*
https://www.icgauth.banquepopulaire.fr/WebSSO_BP/_*html*
https://*banquepopulaire.fr*asp*
https://*banquepopulaire.fr/favicon.ico?*
*/business/j_security_check*
*/business/login/Login.jsp*
*/business/cts_security_precheck*
https://secure.*/LookAndFeel/Common/images/common/share.png?favicon.ico*
https://espace-client.cetelem.fr/*/cetelem/logon.do*
https://espace-client.cetelem.fr/*/cetelem/favicon.ico*
https://internetbanking.suncorpbank.com.au/Logon*
https://internetbanking.suncorpbank.com.au/
https://internetbanking.suncorpbank.com.au/*/Transfers/External*
https://internetbanking.suncorpbank.com.au/*/Transfers/ConfirmExternal*
https://internetbanking.suncorpbank.com.au/*/Transfers/Receipt*
https://internetbanking.suncorpbank.com.au/*/MultipleTransfer/MultipleExternal*
https://internetbanking.suncorpbank.com.au/*/MultipleBpay/MultipleBpayPayment*
https://internetbanking.suncorpbank.com.au/*/TransactionHistory/Results/*
https://internetbanking.suncorpbank.com.au/Content/img/arrow.png*
https://banking*.anz.com/IBAU/BANKAWAY*
https://www.anz.com/INETBANK/*login*.asp*
https://www.anz.com/favicon.ico?*
https://banking*.anz.com/IBAU/web/L001/images/newsite/header/images/mail-icon-1digit.png?*
https://banking*.anz.com/favicon.ico?*
https://www*.my.commbank.com.au/netbank/PaymentHub/MakePayment.aspx*
https://www*.my.commbank.com.au/netbank/Logon/Logon.aspx*
https://www*.my.commbank.com.au/netbank/PaymentHub/ConfirmDetails.aspx*
https://www*.my.commbank.com.au/netbank/PaymentHub/PaymentReceipt.aspx*
https://www*.my.commbank.com.au/netbank/Transaction/History.aspx*
https://www*.my.commbank.com.au/netbank/TransactionHistory/History.aspx*
https://www1.my.commbank.com.au/netbank/PaymentHub/MultiTransferBpay/ConfirmTransferDetails.aspx*
https://*.my.commbank.com.au/favicon.ico?*
https://www*.my.commbank.com.au/netbank/Portfolio/Home/Home.aspx*
https://www*.my.commbank.com.au/netbank/Portfolio/AjaxPages/AjaxHome.aspx*
https://www*.my.commbank.com.au/netbank/UserMaintenance/Inbox/MessageList.aspx*
https://www*.my.commbank.com.au/netbank/UserMaintenance/Inbox/MessageDetails.aspx*
https://ibanking.stgeorge.com.au/InternetBankingResources/ibank2/javascript/util/cryptoJS/components/pad-nopadding-min.js
https://ibanking.banksa.com.au/InternetBankingResources/ibank2/javascript/util/cryptoJS/components/pad-nopadding-min.js
https://ibanking.bankofmelbourne.com.au/InternetBankingResources/ibank2/javascript/util/cryptoJS/components/pad-nopadding-min.js
https://ibanking.stgeorge.com.au/ibank/logonAction.action
https://ibanking.bankofmelbourne.com.au/ibank/logonAction.action
https://ibanking.banksa.com.au/ibank/logonAction.action
https://ibanking.stgeorge.com.au/ibank/stats.jsp
https://ibanking.banksa.com.au/ibank/stats.jsp
https://ibanking.bankofmelbourne.com.au/ibank/stats.jsp
https://ib.nab.com.au/nabib/index.jsp*
https://ib.nab.com.au/favicon.ico?*
https://ib.nab.com.au/nabib/*.ctl*
https://*.westpac.com.au/secure/banking/overview/accounts/list*
https://*.westpac.com.au/secure/banking/overview/dashboard*
https://*.westpac.com.au/secure/banking/overview/payments/confirmation*
https://*.westpac.com.au/secure/banking/manage/approvalworkflow*
https://*.westpac.com.au/secure/banking/account/statements*
https://*.westpac.com.au/secure/banking/overview/accountactivity?*
https://*.westpac.com.au/secure/banking/overview/transactiondetails*
https://*.westpac.com.au/secure/banking/overview/payments/transfers*
https://*.westpac.com.au/favicon.ico?
https://*westpac.com.au/wbc/banking/handler*
https://*westpac.com.au/secure/banking/manage/payees/addpayee*
https://*westpac.com.au/secure/banking/overview/payments/paysomeone*
https://*.westpac.com.au/secure/banking/Themes/Default/Desktop/WBC/Core/Images/Patterns1.1/tile-divider.png.*favicon.ico*
https://*.westpac.com.au/wbc/banking/Themes/Default/Desktop/WBC/Core/Images/Patterns1.1/icon-alert-warning.png.*.png*favicon.ico*
https://securebusiness.lloydsbank.co.uk/business/a/*/*
https://www.nwolb.com/AccountSummary2.aspx*
https://www.nwolb.com/OneOffPaymentsPayeeList.aspx*
https://accounts.careerbuilder.com/share/login.aspx*
https://employer.careerbuilder.com/share/verifyidentity.aspx*
https://www.careerbuilder.com/jobseeker/mycb.aspx*
https://www.careerbuilder.com/user/profile
https://www.bankofamerica.com/[?]*
https://www.bankofamerica.com/
https://www.bankofamerica.com/#login/sign-in/entry/signOn.go
https://secure.bankofamerica.com/login/sign-in/signOnScreen.go*
https://www.bankofamerica.com/homepage/overview.go*
https://secure.bankofamerica.com/login/sign-in/signOnV2Screen.go*
https://secure.bankofamerica.com/login/sign-in/internal/entry/signOnV2.go*
https://secure.bankofamerica.com/login/sign-in/entry/signOnV2.go*
https://secure.bankofamerica.com/login/sign-in/entry/signOn.go*
https://secure.bankofamerica.com/login/sign-in/internal/entry/signOn.go*
https://www.bankofamerica.com/sitemap/hub/signin.go*
https://secure.bankofamerica.com/login/sign-in/signOn.go*
https://secure.bankofamerica.com/login/languageToggle.go*
https://secure.bankofamerica.com/login/sign-in/validateChallengeAnswer.go*
https://www.bankofamerica.com/smallbusiness/
https://www.bankofamerica.com/login/sign-in/entry/signOn.go*
https://www.bankofamerica.com/onlinebanking/online-banking.go*
https://secure.bankofamerica.com/login/sign-in/displayAuthCodeScreen.go*
https://www.bankofamerica.com
https://secure.bankofamerica.com/login/sign-in/validateChallengeAnswerV2.go*
https://secure.bankofamerica.com/myaccounts/signin/signIn.go*
https://secure.bankofamerica.com/myaccounts/signin/signIn.go?returnSiteIndicator=*
https://secure.bankofamerica.com/myaccounts/brain/*
https://secure.bankofamerica.com/login/edit/sm/*
https://secure.bankofamerica.com/myaccounts/signin/*
https://secure.bankofamerica.com/customer/manageContacts/view-profile.go*
https://secure.bankofamerica.com/login/edit/sm/redirectSecurityCenter.go?target=challengequestion*
https://online.americanexpress.com/myca/logon/us/action/LogLogonHandler*
https://online.americanexpress.com/myca/logon/us/action/LogonHandler*
https://www.americanexpress.com/[?]*
https://www.americanexpress.com/??/
https://online.americanexpress.com/myca/logon/us/action*
https://www.americanexpress.com/
https://sso.americanexpress.com/SPS/logon
https://personalsavings.americanexpress.com/onlinebanking/login.do*
https://online.americanexpress.com/myca/tasdsgn/??/action*
https://global.americanexpress.com/myca/intl/isummary/??/summary.do*
https://online.americanexpress.com/myca/acctmgmt/??/myaccountsummary.do*
https://online.americanexpress.com/myca/accountsummary/??/accounthome*
https://online.americanexpress.com/myca/accountsummary/us/accounthome?request_type=authreg_acctAccountSummary*
https://online.americanexpress.com/myca/tasdsgn/??/action?request_type=authreg_tasDelegateCRRequest&Face=*
https://global.americanexpress.com/myca/intl/isummary/canlac/summary.do?request_type=*method=displaySummary*
https://global.americanexpress.com/myca/intl/isummary/emea/summary.do?*method=displaySummary*
https://online.americanexpress.com/myca/tasdsgn/us/action*
https://global.americanexpress.com/dashboard*
https://online.americanexpress.com/myca/accountprofile/us/view.do?request_type=authreg_home&source=inav&sorted_index=0&inav=MYCA_PC_Profile_Preference2
https://online.americanexpress.com/myca/odm/us/contactInfo.do?request_type=authreg_home&sorted_index=0&menuName=aprwd_personal_details
https://online.americanexpress.com/myca/estmt/us/list.do?*request_type=authreg_Statement*
https://online.americanexpress.com/myca/tasdsgn/??/action?request_type=authreg_tasUpdateUserProfile*
https://global.americanexpress.com/myca/intl/istatement/canlac/statement.do?*method=displayStatement*
https://global.americanexpress.com/myca/intl/rc/canlac/contactinfo/contactInfoController.do?request_type=authreg_viewContactDetails
https://global.americanexpress.com/myca/intl/istatement/emea/v1/statement.do?*method=displayStatement*
https://global.americanexpress.com/myca/intl/rc/emea/contactinfo/contactInfoController.do?request_type=authreg_viewContactDetails
https://global.americanexpress.com/account-data/v1/financials/transactions*
https://www.scotiaonline.scotiabank.com/online/authentication/mfaAuthentication.bns*
https://www.scotiaonline.scotiabank.com/online/authentication/authentication.bns*
https://www?.scotiaonline.scotiabank.com/online/authentication/authentication.bns*
https://www.scotiaonline.scotiabank.com/online/authentication/signout.bns*
https://www.scotiaonline.scotiabank.com/online/views/accounts/summary/summaryStandard.bns*
https://www.scotiaonline.scotiabank.com/online/views/accounts/summary/summaryAsset.bns*
https://www.scotiaonline.scotiabank.com/online/views/managemyaccounts/securityPasswords/mfaQAs.bns*
https://www.frostbank.com/pages/default.aspx
https://www.frostbank.com/cgi-bin/ecomm/portal/signin/enterusername.do*
https://www.frostbank.com/cgi-bin/ecomm/portal/myfrostnew/signin/challenge.jsp*
https://www.frostbank.com/pages/logins.aspx
https://www.frostbank.com/cgi-bin/ecomm/portal/signin/enterusername.do
https://www.frostbank.com/logins
https://www.frostbank.com/
https://www.frostbank.com/personal
https://www.ally.com/auto/online-services/access/pre-login.html
https://www.ally.com/autoidp/login
https://www.ally.com/auto/online-services/access/user-challenge.html*
https://www.ally.com?
https://secure.ally.com?
https://www.ally.com/auto/online-services/secure/account-summary.html*
https://www.hancockbank.com/
https://secure.hancockbank.com/online/Hancock/Consumer/login.asp*
https://secure.hancockbank.com/online/Hancock/business/login.asp*
https://www.hancockwhitney.com/
https://www.us.hsbcprivatebank.com/1/2/!ut/p/c5*
https://www?.hsbcprivatebank.com/1/2/!ut/p/c1/*
https://www.santanderbank.com/us/
https://www.santanderbank.com/us/personal*
https://www.santanderbank.com/us/business*
https://rolb.santanderbank.com/LOGSVG_NS_ENS/BtoChannelDriver.ssobto*
https://rolb.santanderbank.com/LOGSVG_NS_ENS/ChannelDriver.ssobto*
https://rolb.santanderbank.com/FORPAS_ENS/ChannelDriver.bto*
https://drob.santanderbank.com/cscobgss/Satellite*
https://bob.santanderbank.com/LGSVBS_NS_ENS/ChannelDriver.ssobto
https://www.security.us.hsbc.com/gsa/SaaS30Resource/
https://www.us.hsbc.com/1/2/home/personal-banking
https://www.us.hsbc.com/1/2/3/personal/online-services/personal-internet-banking/view-accounts/view-accounts-post-registration-email
https://www.security.us.hsbc.com/gsa/SECURITY_LOGON_PAGE/
https://www.services.online-banking.us.hsbc.com/gpib/group/gpib/cmn/layouts/default.html*
https://www.fidelity.com/
https://login.fidelity.com/ftgw/Fas/Fidelity/RtlCust/Refresh/Init*
https://www.fidelity.com/lpp/homepage-a*
https://www.fidelity.com/login/accountposition
https://www.fidelity.com/login/portfolio*
https://login.fidelity.com/ftgw/Fidelity/NBPart/Login/Init
https://login.fidelity.com/ftgw/Fas/Fidelity/FIISCust/Login/Response
https://oltx.fidelity.com/ftgw/fbc/ofaccounts/BrokerageBalances*
https://scs.fidelity.com/accounts/services/content/norelationship.shtml*
https://advisor.fidelity.com/app/account/list*
https://oltx.fidelity.com/ftgw/fbc/oftop/portfolio*
https://workplaceservices200.fidelity.com/mybenefits/navstation/navigation
https://oltx.fidelity.com/ftgw/fbc/ofpositions/snippet/portfolioPositions
https://accountmaint.fidelity.com/ftgw/Profile/action/profile?hint=coainq
https://oltx.fidelity.com/ftgw/fbc/oftop2/cashmgmtAllAcct?ACCOUNT=&CREDIT_CARD=
https://accountsetup.fidelity.com/ftgw/bene/maint/summary
https://fps.fidelity.com/ftgw/Fps/Fidelity/RSAAnalyzeChallengeRetail/Maintain/Init
https://oltx.fidelity.com/ftgw/fbc/oftop2/cashmgmtAllAcct?CREDIT_CARD=
https://www.usbank.com/index.html*
https://www.usbank.com/small-business/index.html*
https://onlinebanking.usbank.com/Auth/Login*
https://onlinebanking.usbank.com/USB/*/MyProfileDashboard/MyProfileDashboardIndex
https://www.usbank.com/homepage.html*
https://www.usbank.com/online-banking/internet-banking.html
https://onlinebanking.usbank.com/USB/*/CustomerDashboard/Index
https://www.suntrust.com/SmallBusiness*
https://onlinebanking.suntrust.com/UI/login*
https://www.suntrust.com/portal/server.p*
https://www.suntrustenespanol.com/SmallBusiness*
https://www.suntrust.com/personalbanking*
https://www.suntrustenespanol.com/PersonalBanking*
https://www.suntrust.com/Static/homepageB.htm*
https://www.suntrustenespanol.com/personal-banking*
https://www.suntrust.com/personal-banking*
https://www.suntrust.com/small-business-banking*
https://www.suntrust.com/
https://onlinebanking.suntrust.com/UI/accounts#/*
https://www.comerica.com/personal-finance.html
https://www.comerica.com/home.html
https://www.comerica.com/
https://www.comerica.com/pages/default.aspx*
https://webbanking.comerica.com/comerica/login.aspx*
https://webbanking.comerica.com/Comerica/*/CustInfo/Challenge.aspx
https://www.comerica.com/wealth-management.html
https://www?.comerica.com/pkmslogin.form
https://www?.comerica.com/
https://webbanking.comerica.com/Comerica/FinancialOverview/FinancialOverview.aspx
https://webbanking.comerica.com/Comerica/SelfService/ManageAccountPreferences.aspx
https://webbanking.comerica.com/Comerica/SelfService/UpdateProfile.aspx
https://webbanking.comerica.com/Comerica/SelfService/ManageQuestionAnswers.aspx
https://webbanking.comerica.com/Comerica/Accounts/Activity.aspx
https://www.regions.com/
https://www.regions.com/*.rf*
https://securebank.regions.com/login.aspx*
https://securebank.regions.com/IA/Challenge.aspx
https://www.regions.com/personal-banking/
https://login.regions.com/SignIn*
https://onlinebanking.regions.com/accounts/overview
https://online.bbt.com/auth/prompt.tb*
https://online.bbt.com/auth/pwd.tb
https://www.bbt.com/campaigns/start.page
https://www.bbt.com/
https://www.bbt.com/start.page
https://www.53.com/
https://www.53.com/fifththird/logout/logout.jsp*
https://www.53.com/site/global/ib-login.html
https://www.53.com/business-banking/
https://www.53.com/private-bank/
https://www.53.com/about/
https://secure.53.com/mortgage/#
https://secure.53.com/mlo/app/mlosite/*
https://www.53.com/olb/auth/challenge-questions*
https://secure.53.com/mortgage/
https://www.53.com/login.html
https://www.53.com/about/
https://www.53.com/wealth-management/
https://www.53.com/content/fifth-third/en.html
https://www.53.com/olb/account/myAccounts.html
https://www.53.com/olb/account/myAccounts.html
https://onlinebanking.tdbank.com/default.asp*
https://onlinebanking.tdbank.com/login.asp*
https://onlinebanking.tdbank.com/
https://onlinebanking.tdbank.com/accts/getAccts.asp
https://onlinebanking.tdbank.com/csc/svcs_change_addy.asp
https://onlinebanking.tdbank.com/csc/svcs_security_questions.asp
https://onlinebanking.tdbank.com/transfer/xfr_history.asp
https://my.navyfederal.org/NFOAA_Auth/login.jsp*
https://www.navyfederal.org/
https://myaccounts.navyfederal.org/NFCU/accounts/accountsummary
https://myaccounts.navyfederal.org/NFCU/settings/updateprofileinfopartialview
https://www*.harrisbank.com/HOB/retail/logon
https://www.bmoharris.com/us/personal-finance/banking/online-banking*
https://www.bmoharris.com/main/personal
https://www*.harrisbank.com/HOB/retail/logon/mfa/challenge*
https://www*.harrisbank.com/HOB/retail/individualLogon*
https://www.bmoharris.com/main/small-business
https://www.bmoharris.com/main/small-business-banking
https://www*.harrisbank.com/HOB/retail/logon/logon
https://tqavgn-bmoharris.dev.bmo.com/main/personal
https://www.wellsfargo.com/biz*
https://www.wellsfargo.com/
https://online.wellsfargo.com/signon*
https://online.wellsfargo.com/das/signon*
https://connect.secure.wellsfargo.com/auth/login/present*
https://online.wellsfargo.com/login*
https://online.wellsfargo.com/das/channel/accountSummary*
https://online.wellsfargo.com/das/cgi-bin/session.cgi?screenid=SIGNON_PORTAL_PAUSE
https://connect.secure.wellsfargo.com/accounts/start?SAMLart=*
https://connect.secure.wellsfargo.com/accounts/inquiry/summary/default?_x=*
https://connect.secure.wellsfargo.com/accounts/start?st=*
https://connect.secure.wellsfargo.com/servicing/cgi-bin/session.cgi?sessargs=*
https://connect.secure.wellsfargo.com/transferandpay/selfpay/transfers/home?st=*
https://billpay.wellsfargo.com/billpay/application/Payments?eventName=PaymentsEvent*
https://connect.secure.wellsfargo.com/transferandpay/billpay/home/pay?_x=*
https://connect.secure.wellsfargo.com/transferandpay/selfpay/transfers/home?_x=*
https://connect.secure.wellsfargo.com/accounts/self_service/contact_info/email_update/start?_x=*
https://connect.secure.wellsfargo.com/accounts/self_service/account_maintainance/modify_nicknames/start/default?*
https://connect.secure.wellsfargo.com/services/start?st=*
https://www.capitalone.com/
https://login?.capitalone.com/loginweb/login/invalidCredential.do
https://www.capitaloneonline.co.uk/CapitalOne_Consumer/Login.do
https://banking.capitalone.com/
https://banking.capitalone.com/[?]*
https://secure.capitalone360.com/myaccount/banking/security_questions.vm
https://nohasslerewards.capitalone.com/login.aspx
https://www.capitalonecardservice.ca/ecare/loginform*
https://www.capitalonecardservice.ca/ecare/accountoverview*
https://coi.netxinvestor.com/web/coi/login*
https://login?.capitalone.com/loginweb/login/loginMFA.do*
https://login?.capitalone.com/loginweb/login/login.do
https://secure.capitalone360.com/myaccount/banking/login.vm
https://verified.capitalone.com/sic-ui/
https://services?.capitalone.com/accounts/
https://servicing.capitalone.com/C1/MyInfo/MyInformation.aspx?drawer=ContactInfo
https://services?.capitalone.com/ui/?/accounts/payments/
https://www.bankofthewest.com/[?]*
https://www.bankofthewest.com/
https://www.bankofthewest.com/small-business.html
https://online.bankofthewest.com/BOW/MFA/Challenge.aspx
https://online.bankofthewest.com/BOW/Login.aspx
https://www?.royalbank.com/cgi-bin/rbaccess/rbunxcgi*
https://www?.royalbank.com/cgi-bin/rbaccess/rbcgi3m01
https://www?.royalbank.com/cgi-bin/rbaccess/rbcgi3m01[?]*
https://www?.royalbank.com/wps/myportal/OLB1*
https://www?.royalbank.com/wps/myportal/OLB/!ut/p/a?/*
https://www.mtb.com/personal/Pages/Index.aspx*
https://www.mtb.com/business/Pages/BusinessHome.aspx*
https://onlinebanking.mtb.com/
https://onlinebanking.mtb.com/Login/*
https://onlinebanking.mtb.com/onlinebanking.mtb.com/Login/SecurityQuestion
https://www.mtb.com/home-page
https://www.mtb.com/business
https://onlinebanking.mtb.com/Accounts/AccountSummary
https://onlinebanking.mtb.com/Transfers/GetTransferHistoryTransactions
https://onlinebanking.mtb.com/CustomerService/MyProfile
https://onlinebanking.mtb.com/CustomerService/FetchAccountDisplayDetails
https://www.discover.com/
https://www.discover.com/[?]*
https://www.discovercard.com/cardmembersvcs/loginlogout/app/signin*
https://www.discoverbank.com/bankac/loginreg/login*
https://www.discover.com/online-banking/
https://www.discover.com/online-banking/[?]*
https://www.discoverbank.com/bankac/loginreg/submitlogin
https://www.discovercard.com/cardmembersvcs/loginlogout/app/ac_main*
https://www.discovercard.com/cardmembersvcs/loginlogout/app/ac_main*
https://portal.discover.com/customersvcs/universalLogin/ac_main*
https://www.discovercard.com/invalid_login/BigBrowser/DiscoverCardAccountCenterLogin_DiscoverCard_msg.htm
https://portal.discover.com/customersvcs/universalLogin/signin*
https://www.discovercard.com/cardmembersvcs/achome/homepage*
https://card.discover.com/cardmembersvcs/achome/homepage*
https://www.discovercard.com/cardmembersvcs/personalprofile/pp/MyProfilePage*
https://card.discover.com/cardmembersvcs/epay/app/paymentHistory*
https://card.discover.com/cardmembersvcs/epay/app/directPay*
https://card.discover.com/cardmembersvcs/personalprofile/pp/MyProfilePage*
https://card.discover.com/cardmembersvcs/statements/app/activity#/recent*
https://easyweb.td.com/waw/idp/login.htm*
https://easyweb.td.com/waw/idp/authenticate.htm?execution=*
https://easyweb.td.com/waw/ezw/servlet/ca.tdbank.banking.servlet.FinancialSummaryServlet?*
https://easyweb.td.com/waw/ezw/servlet/ca.tdbank.banking.servlet.BillPaymentEnquiryDetailsServlet*
https://easyweb.td.com/waw/ezw/servlet/com.td.ds.emailpayments.servlet.ViewPendingEmailPaymentsServlet*
https://easyweb.td.com/waw/ezw/servlet/A2AViewCompletedTransfersServlet*
https://easyweb.td.com/waw/ezw/servlet/com.td.ds.emailpayments.servlet.ViewCompletedEmailPaymentsServlet*
https://easyweb.td.com/waw/ezw/servlet/ca.tdbank.banking.servlet.AccountDetailsServlet*
https://easyweb.td.com/waw/idp/gadget/evergreen/resetChallenge.htm?execution=e?s1*
https://www.paypal.com/auth/validatecaptcha
https://www.paypal.com/*cgi-bin/webscr?cmd=*account-refund*
https://www.paypal.com/*cgi-bin/webscr?cmd=*login-processing*
https://www.paypal.com/*cgi-bin/webscr?cmd=*run-check-cookie*
https://www.paypal.com/*cgi-bin/webscr?cmd=*login-submit*
https://www.paypal.com/*cgi-bin/webscr?cmd=*login-run*
https://www.paypal.com/*cgi-bin/webscr?cmd=*express-checkout*
https://www.paypal.com/*cgi-bin/webscr?token*
https://www.paypal.com/*cgi-bin/webscr?cmd=*flow*
https://www.paypal.com/login*
https://www.paypal.com/signin*
https://www.paypal.com/??/webapps/mpp/merchant
https://www.paypal.com/webapps/mpp/merchant
https://www.paypal.com/??/webapps/mpp/home*
https://www.paypal.com/webapps/mpp/home*
https://www.paypal.com/??/home
https://www.paypal.com
https://www.paypal.com/
https://www.paypal.com/*cgi-bin/webscr?cmd=*contact-general*
https://www.paypal.com/home
https://www.paypal.com/??/signin
https://www.paypal.com/webscr?cmd=*
https://www.paypal.com/webapps/helios*
https://www.paypal.com/webapps/business/moneyBasic
https://www.paypal.com/webapps/business/
https://www.paypal.com/businessexp/money*
https://www.paypal.com/myaccount/home
https://www.paypal.com/myaccount/[?]*
https://www.paypal.com/myaccount/
https://www.paypal.com/businessexp/summary*
https://www.paypal.com/myaccount/settings
https://www.paypal.com/webapps/customerprofile/summary.view
https://www.paypal.com/myaccount/activity
https://www.paypal.com/cgi-bin/webscr?cmd=_profile-address
https://www.paypal.com/businessprofile/settings/email
https://www.paypal.com/businessexp/transactions*
https://www.paypal.com/businessprofile/settings/phone
https://www.paypal.com/checkoutnow/2*
https://www.paypal.com/xpt/Checkout/ec/Login*
https://www.paypal.com/*/cgi-bin/merchantpaymentweb*
https://www.accountonline.com/buscards/USBAO/login/showLogin.action*
https://www.citi.com/credit-cards/citi.action*
https://accountonline.citi.com/cards/svc/LoginGet.do*
https://accountonline.citi.com/cards/svc/OutsideTimeOutNext.do*
https://online.citi.com/??/JSO/signon/DisplayUsernameSignon.do*
https://online.citi.com/??/JSO/signon/CBOLSessionRecovery.do
https://online.citi.com/??/JPS/portal/LocaleSwitch.do*
https://online.citi.com/??/JSO/signon/uname/HomePageCinless.do*
https://www.accountonline.citi.com/cards/svc/LoginIntNext.do*
https://www.citi.com/credit-cards/creditcards/CitiHome.do*
https://online.citi.com/??/JPS/portal/Index.do*
https://online.citi.com/??/JSO/signon/uname/Next.do*
https://online.citi.com/??/JSO/signon/LocaleUsernameSignon.do*
https://online.citi.com/??/login.do?*
https://online.citi.com/??/login.do
https://www.accountonline.com/webdepot/pl/PLNP_HOMEDEPOT/REQUEST_SIGNON?*
https://www.accountonline.com/cards/svc/LoginGet.do*
https://online.citi.com/??/JSO/signon/VIPLocaleUsernameSignon.do*
https://accountonline.citi.com/cards/svc/LoginIntNext.do*
https://online.citi.com/??/JRS/signon/CheckTandC.do?CUSTOM_SYNC_TOKEN=*
https://online.citi.com/US/JSO/signoff/PostSignOffOverlay.do*
https://online.citi.com/US/JRS/signon/CheckTandC.do?CUSTOM_SYNC_TOKEN=*
https://www.accountonline.com/webdepot/pl/PLNP_HOMEDEPOT/REQUEST_INVDET_SIGNON*
https://accountonline.citi.com/cards/svc/OutsideTimeOutNext.do?SYNC_TOKEN=*
https://online.citi.com/??/NCCS/pft/flow.action*
https://online.citi.com/??/JSO/signon/uname/HomePageCinless.do*
https://online.citi.com/??/CBOL/ain/caraccdet/flow.action*
https://online.citi.com/??/CBOL/ain/cardasboa/flow.action*
https://online.citi.com/??/CBOL/ain/dashboard/flow.action*
https://online.citi.com/??/JPS/portal/Home.do*
https://www.accountonline.com/buscards/*/accountsummary/flow.action*
https://accountonline.citi.com/cards/svc/PersonalProfileNext.do[?]*
https://online.citi.com/??/REST/CBOL/pnt/schpayhis/PastPaymentResource/getPastPaymentList.jws?JFP_TOKEN=*
https://online.citi.com/??/REST/CBOL/pnt/schpayhis/ScheduledPaymentResource/getScheduledPaymentList.jws?JFP_TOKEN=*
https://www?.bmo.com/onlinebanking/cgi-bin/netbnx/NBmain*
https://www??.bmo.com/onlinebanking/cgi-bin/netbnx/NBmain*
https://www??.bmo.com/onlinebanking/cgi-bin/netbnx/NBmain/SubmitSignOn*
https://www?.bmo.com/onlinebanking/cgi-bin/netbnx/NBmain/SubmitSignOn*
https://www??.bmo.com/onlinebanking/OLB?id=*
https://www?.bmo.com/onlinebanking/OLB?id=*
https://www??.bmo.com/onlinebanking/OLB/fin*
https://www?.bmo.com/onlinebanking/OLB/fin*
https://www??.bmo.com/onlinebanking/OLB/tra/acc/vph/billerHistoryInit*
https://www?.bmo.com/onlinebanking/OLB/tra/acc/vph/billerHistoryInit*
https://www?.bmo.com/onlinebanking/OLB/tra/acc/vsh/billerSessionHistory*
https://www??.bmo.com/onlinebanking/OLB/tra/acc/vsh/billerSessionHistory*
https://www?.bmo.com/onlinebanking/OLB/ppr/mss*
https://www??.bmo.com/onlinebanking/OLB/ppr/mss*
https://accweb.mouv.desjardins.com/identifiantunique/identification*
https://accweb.mouv.desjardins.com/identifiantunique/authentificatio*
https://accesd.affaires.mouv.desjardins.com/sommaire-affaires/sommaire/detention*
https://www.chase.com/
https://www.chase.com/mortgage*
https://www.chase.com/online-banking*
https://www.chase.com/mobile-banking*
https://www.chase.com/checking*
https://www.chase.com/savings*
https://www.chase.com/private-client*
https://www.chase.com/commercial-bank*
https://www.chase.com/home-equity*
https://chaseonline.chase.com/Logon.aspx*
https://www.chase.com/student-loans*
https://www.chase.com/investments*
https://www.chase.com/credit-cards*
https://www.chase.com/content/chasecom/en/credit-cards/rtbl/verify-credit-card
https://www.chase.com/resources*
https://www.chase.com/espanol*
https://www.chase.com/auto-loans*
https://www.chase.com/online/Credit-Cards/disney.htm
https://www.chase.com/business-banking*
https://www.chase.com/personal-banking*
https://chaseonline.chase.com/
https://www.chase.com/online/private_client*
https://www.chase.com/business
https://www.chase.com/personal/home-lending/mortgage
https://www.chase.com/personal/checking
https://www.chase.com/personal/private-client/sign-in
https://servicing.chase.com/reo/profile/LogOn
https://secure*.chase.com/web/auth/logonbox*
https://mfasa.chase.com/auth/alogin.jsp
https://chaseonline.chase.com/MyAccounts.aspx
https://secure*.chase.com/web/auth/dashboard
https://chaseonline.chase.com/secure/Profile/UpdateContactInfo/UpdateContact.aspx
https://chaseonline.chase.com/gw/secure/ena
https://*.chase.com/svc/rr/accounts/secure/v1/account/activity/dda/list
https://*.chase.com/svc/rr/profile/secure/v1/phone/profile/list
https://*.chase.com/svc/rr/profile/secure/v1/address/profile/list
https://*.chase.com/svc/rr/payments/secure/v1/payee/list
https://*.chase.com/svc/rr/profile/secure/v1/email/profile/list
https://*.chase.com/svc/rr/accounts/secure/v2/account/detail/dda/list
https://payments.chase.com/PnT/Transfer/Activity/Index
https://*.chase.com/svc/rr/profile/secure/v1/overview/list
https://www?.citizensbankonline.com/efs/servlet/efs/login.jsp*
https://www?.citizensbankonline.com/efs/servlet/efs/waologin.jsp*
https://www?.citizensbankonline.com/efs/servlet/efs/login-questions.jsp
https://www?.citizensbankonline.com/efs/servlet/efs/loginnew-wait.jsp
https://www?.citizensbankonline.com/efs/servlet/efs/default.jsp
https://www?.citizensbankonline.com/efs/servlet/efsonline/index.jsp
https://www.onlinebanking.pnc.com/alservlet/SignonInitServlet*
https://www.onlinebanking.pnc.com/alservlet/LogoutServlet*
https://www.pnc.com/en/personal-banking/banking/online-and-mobile-banking.html
https://www.pnc.com/en/personal-banking.html
https://www.onlinebanking.pnc.com/alservlet/OnlineBankingServlet
https://www.onlinebanking.pnc.com/alservlet/MyAccountsServlet
https://www.onlinebanking.pnc.com/alservlet/PersonalInformationServlet
https://www.usaa.com/[?]*
https://www.usaa.com/inet/ent_logon/Logon*
https://www.usaa.com/inet/pages/security_take_steps_protect_logon*
https://www.usaa.com/inet/ent_auth_pin/page/PinEntryPage*
https://www.usaa.com/inet/ent_auth_secques/answer*
https://www.usaa.com/inet/ent_home/CpHome*
https://www.efirstbank.com/internet-banking/log-in-sign-up.htm
https://www.efirstbank.com/centralAuth/jsp/main/Logon.faces*
https://www.efirstbank.com/centralAuth/jsp/main/LogonCollectDevice.faces
https://www.efirstbank.com/centralAuth/jsp/securityQuestions/SecurityQuestionChallenge.faces
https://www.efirstbank.com/
https://www.cibconline.cibc.com/ebm-resources/public/banking/cibc/client/web/index.html*
https://www.cibc.com/en/personal-banking.html
https://www.cibconline.cibc.com/ebm-resources/public/banking/cibc/client/web/index.html
https://www.cibconline.cibc.com/ebm-ai/api/v2/json/accounts
https://www.cibconline.cibc.com/ebm-anp/api/v1/profile/json/userProfiles
https://hiring.monster.com/login.aspx*




Additional information

This analysis used file sample with SHA256 88f59e0dbe62fefb5289702fab1057ee0757ae737413d9f945ff80129846ca0a.



Analysis by Alden Pornasdoro


Last update 14 October 2017

 

TOP

Malware :