Info stealer module leaks process information

October 16, 2015

The Dell Sonicwall Threats Research team have discovered an info stealer Trojan that is possibly as a module for part of a larger botnet crimeware system. The sample analysed here leaks information about the currently running processes on the system and contains functionality to capture desktop screenshots.

Infection cycle:

The Trojan uses the following icon to masquerade as a harmless PDF file:

The Trojan adds the following files to the filesystem:

%WINDIR%ueubupb.hiv (encrypted file)
%WINDIR%wyv.lta (encrypted file)

The Trojan periodically sends encrypted data to a remote webserver:

During analysis we were able to locate the routine used to encrypt the outgoing data:

It was discovered that the data being sent is a list of running processes on the system:

This Trojan is believed to be part of the Nymaim malware family.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

GAV: Nymaim.AY (Trojan)