# Trojan.Win32/Spy.Ranbyus **xylibox.com/2013/01/trojanwin32spyranbyus.html** Received a mail with an interesting exe https://www.virustotal.com/file/17a3ee51492b9b2ba155f54be61f2c305b090cee8d604d1df616ca3ba881b372/analysis/ 1359049655/ Thanks creep. This bot is used by one group of Russian carders and is not for sale, they call it 'triton' IDA Map file imported to Olly, without IDA i got huge problem to understand the exe: Injects: ----- Decoded strings (some, not everything): &pp=1 reg add " &files=1 nabagent.exe putty.exe [MOUSE R %dx%d] POST SeShutdownPrivilege UniStream.exe cbsmain.exe HKLM\ jawt.dll &net=1 disk%u.xml &scrn=1 &cmd=1 UZ.DB3 GET iexplore.exe ThunderRT6FormDC com.bifit.harver.core.DocumentBrowserFrame drweb.exe nabwatcher.exe WINNT bc_loader.exe avfwsvc.exe [VK_END] .iBank* aswupdsv.exe %s\tmp%xa%04d.$$$ \/servlets\/ibc bclient.exe EnableLUA secring client7.exe Western Union® Translink™ Tiny Client-Bank ----- /bsi.dll Content-type: multipart/form-data, boundary=%s Edit java.exe sign.key \\.\PhysicalDrive0 inbank-start-ff.exe http://([^:/]+):*([^/]*)(.+) Content-Disposition: form-data; name="data"; filename="1" clbank.exe BBClient.exe WS2_32.DLL ComSpec iscc.exe SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run avengine.exe https:\/\/ibank.alfabank.ru WebMoney Keeper Classic » Âõîä a:\keys.dat https:\/\/ibank.prbb.ru oncbcli.exe logs nortonantibot.exe ContactNG.exe BUTTON wclnt.exe ashwebsv.exe mj=%u&mi=%u&pt=%u&b=%u&dc=%u sgbclient.exe cbsmain.dll avmailc.exe Software\Microsoft\Windows NT\CurrentVersion\ winlogon.exe webmoney.exe egui.exe /c del --%s-auth-attr-\d+-param1=.*&auth-attr-\d+-param2=.* intpro.exe vshwin32.exe firefox.exe mcshield.exe Password: nabmonitor.exe UNIStream®. Àóòåíòèôèêàöèÿ. Software\Microsoft\Windows\CurrentVersion\Policies\System &file=2 http://e71koapi.org/lc5dx/index.php rclient.exe .jks cfp.exe translink.exe http://pulden376-seven3.in/doEst71beG/index.php ----- Content-Transfer-Encoding: binary ntvdm.exe SysDebug32 %s?id=%s&session=%u&v=%u&name=%s &av= avp.exe System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List cmdagent.exe WINSCARD.DLL " /v EnableLUA /t REG_DWORD /d 0 /f bankcl.exe Software\Microsoft\Windows\CurrentVersion safari.exe avconsol.exe elbank.exe username=.*&password=.* pubring=(.*) javax.swing.JFrame secring=(.*) javaw.exe ISClient.exe JVM.DLL bk.exe http://([^:/]+)/.+ auth-attr-\d+-param1=(.*)&auth-attr-\d+-param2=([^&]*) ekrn.exe sched.exe avgnt.exe avwebgrd.exe startclient7.exe master.key avsynmgr.exe SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Aleksandr Matrosov know better than me this threat go have a look his article: [http://blog.eset.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs](http://blog.eset.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs) Let's do directly to the panel... Login: Statistics: ----- Active bots with smartcard: Screenshots (SR): Clicking on a random day: A screenshot took by the bot: ----- Filelist (FL): File (F): Keys (K): Bot informations: ----- Orders to send: Download list: Some task urls: hxxp://whispers.ru/upload/term.exe hxxp://178.18.249.11/cono.exe hxxp://hoombauls.com/cono.exe hxxp://deluxe1924.com/cc/d.exe ----- hxxp://deluxe1924.com/cc/car2.exe hxxp://hoombauls.com/cono.exe hxxp://gramma.pro/update.exe hxxp://girgrozn.narod2.ru/01/CONO.exe hxxp://deluxe1924.com/cc/picpic.exe hxxp://gramma.pro/update.exe hxxp://deluxe1924.com/cc/fun2101.exe hxxp://www.mobi-sys.ru/en/lox.exe hxxp://likeme.pro/update.exe hxxp://ejdovberk.org/MRD.exe hxxp://www.enmtp.com/admin/lunt30.exe hxxp://178.18.249.10/exel.exe hxxp://deluxe1924.com/cc/picpic.exe hxxp://orlik.pro/update1.exe hxxp://whispers.ru/upload/MLN1.exe hxxp://www.enmtp.com/admin/termclean.exe hxxp://www.enmtp.com/admin/IMRD.exe [Some files can be found here: http://vxvault.siri-urz.net/ViriList.php?IP=209.61.202.242 Hide:](http://vxvault.siri-urz.net/ViriList.php?IP=209.61.202.242) Lookup: add: ----- Banks: Download: Comments: Others: ----- Search via IP: Search via ID: Daemon: Update: ----- Settings: -----