Artemis.A, New InfoStealer in the Wild.

January 26, 2017

The Sonicwall Threats Research team observed reports of a new InfoStealer family named GAV: Artemis.A_43 and actively spreading in the wild.

Artemis malware gathers confidential information from the computer such as login details, passwords; financial information sends it to its own C&C Server.

Infection Cycle:

The Malware adds the following files to the system:

  • %Userprofile%Local SettingsTempbWJgVKbnTS6wTt4QCOE6hTQ9fb1Sv1yGIXx.exe

    • Detected as GAV: Artemis.A_43 (Trojan)

  • %Userprofile%Local SettingsTempTrojan.exe

    • Detected as GAV: Artemis.A_43 (Trojan)

  • %Userprofile%Local SettingsTempTrojan.exe.tmp

    • Trojan.exe.tmp [Key logs data ]

The Malware adds the following keys to the Windows registry to ensure that the Trojan runs during startup:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun5cd8f17f4086744065eb0992a09e05a2

    • "%Userprofile%Local SettingsTempTrojan.exe" ..

  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun5cd8f17f4086744065eb0992a09e05a2

    • "%Userprofile%Local SettingsTempTrojan.exe" ..

Once the computer is compromised, the malware copies its own Executable files to Userprofile folder.

The malware goal is to collect as much data as possible; the more details about the user that end up in the hands of the remote attacker, the bigger the potential profit.

The malware retrieves a list of running processes and websites visited by user and send it to its own C&C server by Bas64 format.

The Malware installs key Logger on the target machine and saves data into Trojan.exe.tmp file, here is an example:

The malware gathers data such as following examples:



  • Date

  • Windows version

Command and Control (C&C) Traffic

Artemis performs C&C communication over 1177 port.

The malware sends your Computer information to its own C&C server via following format, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Artemis.A_43 (Trojan)