Concrete signature match: Password Stealer - Steals credentials and sensitive information for 32-bit Windows platform, family Fareit
PWS:Win32/Fareit!pz is a critical password-stealing Trojan that specifically targets credentials from web browsers, FTP clients like WinRAR and FAR Manager, and clipboard data. It communicates with command-and-control servers to exfiltrate stolen information and track victims.
Relevant strings associated with this threat:
- MSVBVM60.DLL (PEHSTR_EXT)
- MSVBVM60.DLL (PEHSTR)
- Kawaii-Unicorn.exe (PEHSTR_EXT)
- cmd /c rename (PEHSTR_EXT)
- DllFunctionCall (PEHSTR_EXT)
- \Unicorn (PEHSTR_EXT)
- VB.Clipboard (PEHSTR_EXT)
- YlcF3nkOJOKQ88SJsUazBPvEmrRIR0D5tWBdkT (PEHSTR_EXT)
- System.IO.Compression (PEHSTR_EXT)
- System.Threading (PEHSTR_EXT)
- System.Runtime.Remoting (PEHSTR_EXT)
- @*\AProject1 (PEHSTR_EXT)
- 185.7.214.7/ADS11/RED.PNG (PEHSTR_EXT)
- https://iplogger.org/1pucu7 (PEHSTR_EXT)
- 6////6/61661 (PEHSTR_EXT)
- euisfdjsxadfds7 (PEHSTR_EXT)
- cmdCancel (PEHSTR_EXT)
- TIPOFDAY.TXT (PEHSTR_EXT)
- OFFTHERECORD-32.dll (PEHSTR_EXT)
- http://www.ssnbc.com/wiz/ (PEHSTR_EXT)
- gzipDecom (PEHSTR_EXT)
- kErnEl32.DLL (PEHSTR_EXT)
- Ui.TrackingRecord.resources (PEHSTR_EXT)
- 60.dll (PEHSTR)
- /gate.php (PEHSTR)
- software\winrar (PEHSTR)
- /gate.php (PEHSTR_EXT)
- Software\WinRAR (PEHSTR_EXT)
- Software\Far2\SavedDialogHistory\FTPHost (PEHSTR_EXT)
- PKDFILE0YUICRYPTED0YUI1.0 (PEHSTR_EXT)
- software\winrar (PEHSTR_EXT)
- \estsoft\alftp (PEHSTR_EXT)
- inetcomm server passwords (PEHSTR_EXT)
- \VanDyke\Config\Sessions (PEHSTR_EXT)
- oid.bat (PEHSTR_EXT)
- abcd.bat (PEHSTR_EXT)
- http (PEHSTR_EXT)
- F:\hVjjmsck\zunzMo\dAQQ.pdb (PEHSTR)
- Far\Plugins\FTP\Hosts (PEHSTR_EXT)
- \Estsoft\ALFTP (PEHSTR_EXT)
- \Ipswitch\WS_FTP (PEHSTR_EXT)
- \win.ini (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (PEHSTR_EXT)
- SiteServer %d\Remote Directory (PEHSTR_EXT)
- PQRVW=/ (PEHSTR)
- imagehlp.dll (PEHSTR)
- shell32.dll (PEHSTR)
- shell32.dll (PEHSTR_EXT)
- kernel32.dll (PEHSTR_EXT)
- %s\%sPasswords.log (PEHSTR)
- file%d.exe (PEHSTR)
- http://butterchoco.net/admin/bull/gate.php (PEHSTR_EXT)
- YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 (PEHSTR_EXT)
- http://akdoganevdeneve.net/wp-content/Panel/gate.php (PEHSTR_EXT)
- AlienRunPE.AlienRunPE (PEHSTR_EXT)
- StringComparison (PEHSTR_EXT)
- Roslyn.Utilities (PEHSTR_EXT)
- {M.344:4 (PEHSTR_EXT)
- fC<Y**// (PEHSTR_EXT)
- d******// (PEHSTR_EXT)
- . #0qb (SNID)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)9db343a12b7b22ba7feca33019a437067f96e03a2695f574a97f446f7dc2883bIsolate the affected system immediately and ensure Windows Defender has fully removed the threat. All passwords, particularly for online accounts, email, banking, and FTP clients, must be reset, and multi-factor authentication should be enabled. Perform full system scans with updated antivirus software to detect any residual malware or persistence mechanisms.