VirusW32/Stawin.A!tr
Analysis
- Trojan is 32 bit with a compressed file size of
3,792 bytes
- Trojan may have been introduced to the compromised
system from a spammed email message sent maliciously,
as an email attachment named "message.zip"
- within "message.zip" was the binary "message.exe"
- If the Trojan binary is executed, it will copy
itself and another file into the Windows folder -
c:\WINNT\HookerDll.Dll (4,608 bytes)
c:\WINNT\MESSAGE.EXE (3,792 bytes)
-
The file "HookerDll.Dll" is coded to trap keystrokes and passwords into a file on the local system - this is done by making use of imports from key dynamic link library files:
KERNEL32.DLL - obtain Windows directory path, create file
USER32.DLL - hook keyboard, read clipboard
-
The Trojan component "HookerDll.Dll" is coded to capture logon credentials related to certain financial websites, if any of the strings match the list below -
Westpac <- New Zealand financial company
ANZ <- Australian financial company
bendigo <-Australian bank
Bendigo <-Australian bank
e-bendigo <-Australian bank
e-Bendigo <-Australian bank
commbank <- Australian bank
Commonwealth <- Australian bank
NetBank <- online bank
Citibank <- online bank
e-gold <- Internet payment service
e-bullion <- Internet payment service
e-Bullion <- Internet payment service
evocash <- Internet payment service
EVOCash <- Internet payment service
EVOcash <- Internet payment service
intgold <- Internet payment service
INTGold <- Internet payment service
paypal <- Internet payment service
PayPal <- Internet payment service
bankwest <- Online banking
Bank West <- Online banking
BankWest <- Online banking
National <- Online banking
cibc <- Online banking
CIBC <- Online banking
scotiabank <- Canadian online banking
ScotiaBank <- Canadian online banking
Scotia Bank <- Canadian online banking
bmo <- Canadian online banking
BMO <- Canadian online banking
bank of montreal <- Canadian online banking
Bank of Montreal <- Canadian online banking
royalbank <- Canadian online banking
Royal Bank <- Canadian online banking
RoyalBank <- Canadian online banking
tdcanadatrust <- Canadian online banking
TD Canada Trust <- Canadian online banking
TDCanadaTrust <- Canadian online banking
president's choice <- Canadian online banking
President's Choice <- Canadian online banking
President Choice <- Canadian online banking
suncorpmetway <- Australian online banking
Suncorp <- Australian online banking
macquarie <- Australian online banking
Macquarie <- Australian online banking
INTgold <- Internet payment service
1mdc <- Internet banking service
1MDC <- Internet banking service
bank <- Internet banking service
Bank <- Internet banking service
goldmoney <- Internet banking service
GoldMoney <- Internet banking service
goldgrams <- Internet banking service
pecunix <- Internet banking service
Pecunix <- Internet banking service
Pecun!x <- Internet banking service
hyperwallet <- Internet banking service
HyperWallet <- Internet banking service
-
The Trojan will auto run at Windows logon after it first adds a key to the registry as in this example -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"OLE" = C:\WINNT\message.exe
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extended | |
| FortiClient | |
| FortiMail | |
| FortiSandbox | |
| FortiWeb | |
| Web Application Firewall | |
| FortiIsolator | |
| FortiDeceptor | |
| FortiEDR |