Win64/Vools [Threat Name] go to Threat

Win64/Vools.B [Threat Variant Name]

Category trojan
Size 405504 B
Detection created Jan 16, 2018
Detection database version 16744
Aliases Trojan.Win32.Agent.qwfofe (Kaspersky)
Short description

Win64/Vools.B is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine. It is able to spread via network exploiting vulnerabilities of the operating system.

Installation

The trojan does not create any copies of itself.


The trojan is usually a part of other malware with name Win32/Agent.ZKY, Win64/Agent.JM .


The trojan needs the following files to run:

  • %windir%\­System32\­NrsDataCache.tlb

The archive contains malware files.


The trojan extracts the archive content into the following folder:

  • %windir%\­SysprepThemes\­
  • %windir%\­SysprepThemes\­Microsoft\­

The archive contains the following files:

  • crypt (3596689 B, ZIP)
  • gpu (5427200 B, Win64/CoinMiner.CY)
  • hash (640512 B, Win32/CoinMiner.DN)
  • hash64 (573440 B, Win64/CoinMiner.CS)
  • spoolsv (322560 B, Win32/Vools.A)
  • spoolsv64 (415744 B, Win64/Vools.B)
  • srv (501760 B, Win32/Vools.B)
  • srv64 (630784 B, Win64/Vools.G)
  • crypt\­adfw-2.dll (14848 B, Win32/HackTool.Equation.X)
  • crypt\­adfw.dll (11264 B, Win32/HackTool.Equation.V)
  • crypt\­cnli-0.dll (106496 B, Win32/Exploit.Equation.G)
  • crypt\­cnli-1.dll (100864 B, Win32/Exploit.Equation.G)
  • crypt\­coli-0.dll (15360 B, Win32/HackTool.Equation.U)
  • crypt\­crli-0.dll (17408 B, Win32/HackTool.Equation.U)
  • crypt\­dmgd-1.dll (35328 B, Win32/HackTool.Equation.W)
  • crypt\­dmgd-4.dll (479744 B, Win32/HackTool.Equation.W)
  • crypt\­esco-0.dll (13824 B, Win32/HackTool.Equation.Y)
  • crypt\­etch-0.dll (158720 B, Win32/Exploit.Equation.Etch.A)
  • crypt\­etchCore-0.x64.dll (179200 B, Win64/Exploit.Equation.EtchCore.A)
  • crypt\­etchCore-0.x86.dll (142848 B, Win32/Exploit.Equation.EtchCore.A)
  • crypt\­eteb-2.dll (128512 B, Win32/Exploit.Equation.Eteb.A)
  • crypt\­etebCore-2.x64.dll (141824 B, Win64/Exploit.Equation.EtebCore.A)
  • crypt\­etebCore-2.x86.dll (112640 B, Win32/Exploit.Equation.EtebCore.A)
  • crypt\­Eternalblue-2.2.0.fb (503 B)
  • crypt\­Eternalchampion-2.0.0.fb (1118 B)
  • crypt\­exma-1.dll (10240 B, Win32/HackTool.Equation.U)
  • crypt\­exma.dll (6144 B, Win32/HackTool.Equation.Z)
  • crypt\­iconv.dll (22016 B, Win32/HackTool.Equation.AA)
  • crypt\­libcurl.dll (212480 B, Win32/Exploit.Equation.G)
  • crypt\­libeay32.dll (903168 B, Win32/HackTool.Equation.AB)
  • crypt\­libiconv-2.dll (970393 B)
  • crypt\­libxml2.dll (826368 B, Win32/HackTool.Equation.AI)
  • crypt\­out.dll (132096 B, Win64/Vools.C)
  • crypt\­pcla-0.dll (337408 B, Win32/HackTool.Equation.C)
  • crypt\­pcre-0.dll (146432 B, Win32/HackTool.Equation.AJ)
  • crypt\­pcrecpp-0.dll (32768 B, Win32/HackTool.Equation.AK)
  • crypt\­pcreposix-0.dll (9728 B, Win32/HackTool.Equation.AL)
  • crypt\­posh-0.dll (11264 B, Win32/HackTool.Equation.AN)
  • crypt\­posh.dll (6656 B, Win32/HackTool.Equation.AM)
  • crypt\­pytrch.py (38209 B)
  • crypt\­pytrch.pyc (49695 B)
  • crypt\­riar-2.dll (32768 B, Win32/HackTool.Equation.AG)
  • crypt\­riar.dll (16384 B, Win32/HackTool.Equation.AH)
  • crypt\­spoolsv.exe (45568 B, Win32/Equation.DoublePulsar.A)
  • crypt\­spoolsv.xml (4449 B)
  • crypt\­ssleay32.dll (184320 B, Win32/HackTool.Equation.AO)
  • crypt\­svchost.exe (129024 B, Win32/Exploit.Equation.EternalBlue.A)
  • crypt\­svchost.xml (2840 B)
  • crypt\­tibe-1.dll (233472 B, Win32/Exploit.Equation.F)
  • crypt\­tibe-2.dll (237568 B, Win32/Exploit.Equation.F)
  • crypt\­tibe.dll (270336 B, Win32/Exploit.Equation.B)
  • crypt\­trch-0.dll (73728 B, Win32/HackTool.Equation.AE)
  • crypt\­trch-1.dll (59904 B, Win32/HackTool.Equation.U)
  • crypt\­trch.dll (49664 B, Win32/HackTool.Equation.AF)
  • crypt\­trfo-0.dll (45056 B, Win32/HackTool.Equation.AC)
  • crypt\­trfo-2.dll (29696 B, Win32/HackTool.Equation.U)
  • crypt\­trfo.dll (38400 B, Win32/HackTool.Equation.AD)
  • crypt\­tucl-1.dll (9216 B, Win32/HackTool.Equation.U)
  • crypt\­tucl.dll (6144 B, Win32/HackTool.Equation.AP)
  • crypt\­ucl.dll (58368 B, Win32/HackTool.Equation.AQ)
  • crypt\­x64.dll (175104 B, Win64/Agent.JM)
  • crypt\­x86.dll (148992 B, Win32/Agent.ZKY)
  • crypt\­xdvl-0.dll (32256 B, Win32/HackTool.Equation.U)
  • crypt\­zibe.dll (262144 B, Win32/Exploit.Equation.G)
  • crypt\­zlib1.dll (60416 B)
  • crypt\­_pytrch.pyd (153600 B)
Spreading

Win64/Vools.B is a trojan that spreads via network exploiting vulnerabilities of the operating system.


The trojan generates various IP addresses.


It connects to remote machines to port 445 in attempt to exploit the Microsoft Server Message Block (SMB) vulnerability.


This vulnerability is described in Microsoft Security Bulletin MS17-010 .


If it succeeds, a copy of the trojan is retrieved from the attacking machine.

Information stealing

Win64/Vools.B is a trojan that steals sensitive information.


The following information is collected:

  • operating system version
  • CPU information
  • amount of operating memory
  • installed Microsoft Windows patches
  • network adapter information
  • list of running processes
  • list of active TCP and UDP connections
  • list of files/folders on a specific drive
  • MAC address
  • computer IP address

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (2) URL addresses. The HTTP protocol is used.

Other information

The trojan executes the following commands:

  • %windir%\­system32\­cmd.exe /c systeminfo & tasklist & netstat -nao & dir "C:\­Program Files" & dir "C:\­Program Files (x86)"
  • %windir%\­system32\­cmd.exe /c %windir%\­SysprepThemes\­Microsoft\­svchost.exe > stage1.txt
  • %windir%\­system32\­cmd.exe /c %windir%\­SysprepThemes\­Microsoft\­spoolsv.exe > stage2.txt

The trojan can terminate the following processes:

  • taskmgr.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.