Evasive Gootkit Banking Trojan

Severity	Category	Operation	Classification
5/5	Anti Analysis	Tries to detect application sandbox	-
Possibly trying to detect "Threadexpert" by checking for existence of module "dbghelp.dll". ... VTI Actions Go to function call
Possibly trying to detect "Sandboxie" by checking for existence of module "sbiedll.dll". ... VTI Actions Go to function call
5/5	Anti Analysis	Tries to detect virtual machine	-
Reads out system information, commonly used to detect VMs via registry. (Value "SystemBiosVersion" in key "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System"). ... VTI Actions Go to function call
Reads out system information, commonly used to detect VMs via registry. (Value "VideoBiosVersion" in key "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System"). ... VTI Actions Go to function call
5/5	Information Stealing	Reads system data	Spyware
Reads Windows license key. ... VTI Actions Go to function call
Reads the Windows installation date from registry. ... VTI Actions Go to function call
5/5	Injection	Writes into the memory of another running process	-
"c:\users\nd9e1fyi\appdata\local\temp\smsvchost32.exe" modifies memory of "c:\program files (x86)\msecache\safari.exe" ... VTI Actions Go to function call
5/5	Network	Sets up server that accepts incoming connections	Backdoor
TCP server listens on port "281". ... VTI Actions Go to function call
TCP server listens on port "402". ... VTI Actions Go to function call
4/5	Network	Associated with known malicious/suspicious URLs	-
URL "http://amd.martatovaglieri.it/upll?26201" is known as malicious URL. ... VTI Actions Go to function call
URL "HTTP://drk.fm604.com/rbody320" is known as malicious URL. ... VTI Actions Go to function call
URL "HTTP://drk.fm604.com/rbody32" is known as malicious URL. ... VTI Actions Go to function call
URL "HTTP://drk.fm604.com/rpersist4/2091998236" is known as malicious URL. ... VTI Actions Go to function call
3/5	Anti Analysis	Delays execution	-
One thread sleeps more than 5 minutes. ... VTI Actions Go to function call
3/5	Browser	Changes security-related browser settings	-
Changes settings for the Security Zone "workspace". ... VTI Actions Go to function call
Changes settings for the Security Zone "local internet". ... VTI Actions Go to function call
Changes settings for the Security Zone "trustworthy sites". ... VTI Actions Go to function call
Changes settings for the Security Zone "internet". ... VTI Actions Go to function call
Changes settings for the Security Zone "restricted sites". ... VTI Actions Go to function call
2/5	Hide Tracks	Writes an unually large amount of data to the registry	-
Hides 512000 byte in "HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_0". ... VTI Actions Go to function call
Hides 512000 byte in "HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_1". ... VTI Actions Go to function call
Hides 512000 byte in "HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_2". ... VTI Actions Go to function call
Hides 512000 byte in "HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_3". ... VTI Actions Go to function call
Hides 512000 byte in "HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_4". ... VTI Actions Go to function call
Hides 512000 byte in "HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_5". ... VTI Actions Go to function call
Hides 512000 byte in "HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_6". ... VTI Actions Go to function call
Hides 350258 byte in "HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_7". ... VTI Actions Go to function call
Hides 4075 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\{7ade5bfc-66f6-4220-aa24-6032bdb90317}". ... VTI Actions Go to function call
Hides 31817 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\{102f49a9-80c9-42ee-8924-3256738fc621}". ... VTI Actions Go to function call
2/5	Network	Performs DNS request	-
Resolves host name "xmpp.dolcesognar.it". ... VTI Actions Go to function call
Resolves host name "localhost". ... VTI Actions Go to function call
2/5	Network	Downloads data	Downloader
URL "http://amd.martatovaglieri.it/upll?26201". ... VTI Actions Go to function call
URL "HTTP://drk.fm604.com/rbody320". ... VTI Actions Go to function call
URL "HTTP://drk.fm604.com/rbody32". ... VTI Actions Go to function call
URL "HTTP://drk.fm604.com/rpersist4/2091998236". ... VTI Actions Go to function call
URL "HTTP://xmpp.dolcesognar.it/rbody320". ... VTI Actions Go to function call
URL "HTTP://xmpp.dolcesognar.it/rpersist4/1197631235". ... VTI Actions Go to function call
URL "HTTP://spop.lestanzedifederica.com/rpersist4/1197631235". ... VTI Actions Go to function call
URL "HTTP://arb.palaser.eu/rpersist4/1197631235". ... VTI Actions Go to function call
URL "HTTP://gttopr.space/rpersist4/1197631235". ... VTI Actions Go to function call
2/5	Network	Connects to HTTP server	-
URL "drk.fm604.com/rbody320". ... VTI Actions Go to function call
URL "drk.fm604.com/rbody32". ... VTI Actions Go to function call
URL "http://amd.martatovaglieri.it/upll?26201". ... VTI Actions Go to function call
URL "xmpp.dolcesognar.it/rpersist4/1197631235". ... VTI Actions Go to function call
URL "spop.lestanzedifederica.com/rpersist4/1197631235". ... VTI Actions Go to function call
URL "arb.palaser.eu/rpersist4/1197631235". ... VTI Actions Go to function call
URL "gttopr.space/rpersist4/1197631235". ... VTI Actions Go to function call
URL "xmpp.dolcesognar.it/rbody320". ... VTI Actions Go to function call
URL "drk.fm604.com/rpersist4/2091998236". ... VTI Actions Go to function call
2/5	PE	Drops PE file	Dropper
Drops file "C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp". ... VTI Actions Go to file details Go to function call
Drops file "C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe". ... VTI Actions Go to file details Go to function call
2/5	PE	Executes dropped PE file	-
Executes dropped file "C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp". ... VTI Actions Go to file details Go to function call
Executes dropped file "C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe". ... VTI Actions Go to file details Go to function call
1/5	Process	Creates system object	-
Creates mutex with name "Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000". ... VTI Actions Go to function call
Creates mutex with name "ServiceEntryPointThread". ... VTI Actions Go to function call
1/5	Process	Overwrites code	-
Overwrites code to possibly hide behavior. ... VTI Actions Go to hook information
1/5	Network	Connects to remote host	-
Outgoing TCP connection to host "109.230.199.30:443". ... VTI Actions Go to function call

Notifications (2/2)

Before

After