{
	"id": "c1464167-4364-4ff5-b8fb-139e38d6c4c0",
	"created_at": "2026-04-06T00:15:50.605231Z",
	"updated_at": "2026-04-10T03:20:32.068897Z",
	"deleted_at": null,
	"sha1_hash": "5be20be877179dd21d5d517afe06c8c68e03fe20",
	"title": "Trojan banking 47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 173508,
	"plain_text": "Trojan banking\r\n47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4\r\nBy Posted by zairon on April 15, 2014\r\nPublished: 2014-04-15 · Archived: 2026-04-05 16:11:12 UTC\r\nTwo days ago I blogged about the approach I used to start analysing the malware, today I spent some more time on the\r\ntarget trying to get an idea of its behaviours. According to VirusTotal the file has a 21/51 revelation rate, it was 6/51 six\r\ndays ago.\r\nIt has been designed for the Asian part of the world and, among all the malicious features, I noted an interesting data\r\nexchanges between the infected machine and a server behind 192.74.241.104/192.74.241.105 addresses.\r\nFrom server to infected machine\r\nGet\r\nFile plus.php is saved inside the infected machine. Wireshark marks the new file as an “application/zip” file, and I have to\r\nadmit that at a first glance I thought the same thing:\r\nMisleading header\r\nI was wrong, the file is a not valid archive. To better understand what kind of file is this I put my hands on a debugger. All\r\nthe bytes starting from offset 0x68 are decrypted by a simple piece of code:\r\n10007F10 decrypt_part_of_the_downloaded_file:\r\n10007F10 mov eax, ecx\r\n10007F12 push 2\r\n10007F14 cdq\r\n10007F15 pop edi\r\n10007F16 idiv edi\r\n10007F18 test edx, edx\r\n10007F1A jz short loc_10007F22\r\n10007F1C add byte ptr [ecx+esi], 3Ah\r\n10007F20 jmp short loc_10007F26\r\n10007F22 add byte ptr [ecx+esi], 4Bh\r\n10007F26 inc ecx\r\nhttps://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/\r\nPage 1 of 3\n\n10007F27 cmp ecx, [ebp+var_4]\r\n10007F2A jl short decrypt_part_of_the_downloaded_file\r\nIt’s basically decrypted by an add operation, but the result is something I didn’t expect, here is a small part of the entire\r\nfile:\r\nThe file is moved under “C:\\Windows\\System32\\drivers\\etc” directory with the new name hosts.ics. It seems to be the same\r\nlist described inside three articles by Nshc Security. You can find the mentioned pdf report files inside the Red Alert\r\nReports section:\r\n– Internet Bank Pharming – BlackMoon\r\n– Internet Bank Pharming with CVE-2013-3897\r\n– Internet Banking Malware\r\nThe malware I’m checking has a lot of common things with the samples used to write the reports: it deletes antivirus exe\r\nrelated files, use a link file to run the malware at startup, create the hosts.ics file, steal certificates searching for NPKI\r\nfolders sending them to a specific server in an encrypted format.\r\nOn the other hand the infection has slightly changed: dll file runs from rundll32 camouflaged into ctfmon.exe and not\r\ncsrss.exe, start link has a different name V2LiteExp (the name comes from AhnLab V3 Internet Security suite), plus.php\r\nfile is available in the recent samples only. Little things of course, but these are relevant in the removal process.\r\nFrom infected machine to server\r\nSend\r\nA series of bytes are sent away, what’s behind this obscure sequence?\r\nAgain, a simple xor encryption is used to hide the real information to send. The message in clear view contains some\r\nstrings revealing info about the infected machine and the infection itself:\r\n– processor type, something like “Intel(R) Core(TM) i7-3770K CPU @ 3.50GHz”\r\n– physical free memory : “3584 MB”\r\n– running OS: “Win XP SP2”\r\nhttps://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/\r\nPage 2 of 3\n\n– date of infection: “20140415”\r\n– location of hosts file: “http://192.74.241.104:805/plus.php”\r\nThese information are sent following a precise time line.\r\n192.74.241.104 and 192.74.241.105\r\nThese addresses are under “PEG TECH INC” organization. There are many spam related complaints around the web from\r\nthis organization, pay attention to 192.74.241.96/192.74.241.111 range addresses.\r\nTo end this post, look at the advice of a company named PegTech.\r\nSource: https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/\r\nhttps://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/"
	],
	"report_names": [
		"trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4"
	],
	"threat_actors": [],
	"ts_created_at": 1775434550,
	"ts_updated_at": 1775791232,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5be20be877179dd21d5d517afe06c8c68e03fe20.pdf",
		"text": "https://archive.orkl.eu/5be20be877179dd21d5d517afe06c8c68e03fe20.txt",
		"img": "https://archive.orkl.eu/5be20be877179dd21d5d517afe06c8c68e03fe20.jpg"
	}
}