Home / malwarePDF  

PWS:Win32/Sinowal


First posted on 02 April 2019.
Source: Microsoft

Aliases :

There are no other names known for PWS:Win32/Sinowal.

Explanation :

PWS:Win32/Sinowal is a multi-component trojan that communicates with remote servers to send sensitive information such as information about the affected computer and other credentials.

Installation

When run, PWS:Win32/Sinowal creates the mutex names "stsvcmut" and "stsvcsmut". It drops the following files:

%ProgramFiles%Common FilesMicrosoft SharedWeb Foldersibm00001.dll - TrojanSpy:Win32/Small %ProgramFiles%Common FilesMicrosoft SharedWeb Foldersibm00002.dll - PWS:Win32/Sinowal %ProgramFiles%Common FilesMicrosoft SharedWeb Foldersibm00001.exe - PWS:Win32/Sinowal, loads "ibm00001.dll"

The registry is modified to run the trojan component "ibm00001.exe" at each Windows start.

In subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
Sets value: "Shell"
From data: "explorer.exe"
To data: "explorer.exe "%ProgramFiles%Common FilesMicrosoft SharedWeb Foldersibm00001.exe""

In some samples, PWS:Win32/Sinowal may create a copy of itself as the following:

%TEMP%clean_.dll - for example, "clean_25bc2.dll"

It then configures its dropped copy to run alongside the legitimate Windows file "svchost.exe".

It also creates an entry for its dropped copy in the system registry so that it runs as a service:

In subkey: HKLMSYSTEMControlSet001ServicesldrsvcParameters
Sets value: "ServiceDll"
With data: "%TEMP%clean_25bc2.dll

Payload

Monitors web traffic

PWS:Win32/Sinowal drops an encrypted file with a random file name that contains a list of banking websites, as in the following example:

%windir% emp$_2341234.tmp

PWS:Win32/Sinowal hooks various APIs in order to intercept the web traffic made by Firefox and Internet Explorer browsers to those sites. The trojan may also try to capture credentials used by various email programs and FTP clients.

Monitors security windows

PWS:Win32/Sinowal monitors message windows that may be displayed by various security programs and automatically selects affirmation buttons (such as "OK") within the window which could result in allowing the trojan run without interference to contact and communicate with remote servers.

Communicates with remote servers

The trojan may contact various remote servers using HTTP protocol and a user-agent value of "User-Agent: Mozilla/4.0". When connected successfully, the trojan sends various details, such as the operating system version, IP address or ports where it's listening on, and the list of credentials. In the wild, this trojan was observed to connect with domains such as the following:

myadib7.com vermyt7.com katrin7.com 777level.com

The destination page requested is commonly named "x25.php" within a subdirectory named "gamma".

Analysis by Andrei Florin Saygo

Last update 02 April 2019

 

TOP