Home / malwarePDF  

Infostealer.Poshook


First posted on 25 December 2015.
Source: Symantec

Aliases :

There are no other names known for Infostealer.Poshook.

Explanation :

Once executed, the Trojan creates the following files:
%UserProfile%\Application Data\Resourcing\lsmon.exe%UserProfile%\Application Data\Resourcing\ntfd.dat%UserProfile%\Application Data\svchost.exe%UserProfile%\Application Data\system.pif
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Memory Resource" = %UserProfile%\Application Data\Resourcing\lsmon.exe
Next, the Trojan modifies the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1806" = "0"
The Trojan then performs a DNS query for the following domain:
power-uping.com
The Trojan then uses the IP address returned from the DNS query and adds the following entries to the Windows hosts file:
[IP ADDRESS FROM QUERY] inf1nix.com[IP ADDRESS FROM QUERY] www.inf1nix.com
The Trojan then reads the memory of running processes on the compromised computer for payment card track data.

The Trojan then sends the stolen data to the following remote location:
inf1nix.com/rxcx.php

Last update 25 December 2015

 

TOP