Back to Posts

IMG_\d+_\d+.js drops banking trojan

Posted in javascript, trojan

IMG_xxxxxxxx_xxxxxxx.js drops Bancos/Bolek

Payload: IMG_68794206_0521890.js Link

Detection ratio: 1 / 54

MD5: 90e2a4aef9d5c49198b514005c4ffe85
SHA1: a499e2a8b842997b576d056e4e77bbd014c45a94
SHA256: 510d9815b6f267a1bbf13da0b4a7005be21698a24dcfc6895b56f8515c0e557f
File type: JavaScript

image-title-here


JavaScript Downloads a Win32 DLL from the following location:

hxxp://hajunina.hopto[.]org/l/93b55ff7de2284434cd58f34dbc122e171ca558b (62.108.37.204)

image-title-here xor and request function

image-title-here payload request



Network Signatures:
[1:2018216:2] ET INFO HTTP Connection To DDNS Domain Hopto.org
[1:2000419:22] ET POLICY PE EXE or DLL Windows file download
[1:2022053:2] ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
[1:2022888:3] ET TROJAN Malicious SSL Certificate Detected (Bancos C2)
[1:2022889:2] ET TROJAN Bolek HTTP Checkin



Payload: TopGater.dll Link

Detection ratio: 9 / 56

MD5: 7a0655ac9cfeccc147432564d9d3148f
SHA1: 4298655284311b946d9431830af8c681369666b7
SHA256: 64f01cb3eccaab99ca212a24a32720970e78b30baff2d34ab39a6e9cb4ef2acd
File type: Win32 DLL

image-title-here


image-title-here Bolek HTTP Checkin


associated files:
payloads.zip
traffic.zip

This website focuses on the latest malware, exploit kits, spam and phishing attacks that are seen in the wild. Inspired by @malware_traffic, @BroadAnalysis and @malwareforme

Read Next

TCKT+xxxxxx.vbs drops Locky DLL(s)