Home / malware Trojan:Win32/Derbit.B
First posted on 26 January 2017.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Derbit.B.
Explanation :
Installation
This trojan is downloaded by the Donoff trojan downloader family, such as TrojanDownloader:O97M/Donoff or TrojanDownloader:O97M/Donoff. It arrives as an encrypted file with file extension .kov.
Usually it will be saved to the following path:
- %APPDATA% \Roaming\Iron\feup.kov
There's a separate PHP script (Trojan:PHP/Derbit.A) that decrypts, runs, and deletes the presence of this trojan.
The trojan will be run with the name explorer.exe, so it will appear in the process explorer as explorer.exe.
Payload
Collects your log in and PC information
This trojan collects your personal information, and information about your PC. We have seen it attempt to collect the following:
- The username and password you use to log in to your PC
- The geographical location of your PC, based on your computer's IP address
- PC information, including whether it is 32- or 64-bit, your username, and the computer name
- The usernames and passwords you use for online banking by monitoring your web browser and looking for credit card information
It sends the collected information to a remote connection. We have seen it attempt to send to the following:
- hxxp://hadhesusela.com/bdk/gate.php
Additional information
This analysis used file sample with SHA1 25a16b9306e4216730f417f99dba98fbb9660fa4.
Analysis by Ferdinand PlazoLast update 26 January 2017
