¡Vd. usa un navegador obsoleto!
Es posible que la página no se visualice correctamente.
El análisis de tecnologías usadas por los malintencionados nos permite sacar conclusiones sobre los posibles vectores de desarrollo de la industria antivirus y afrontar las futuras amenazas con mayor eficacia. Entérese de cómo funcionan varios programas nocivos en sistemas infectados y cómo afrontarlo.
SHA1: | File name | DLL name after decryption | Description |
---|---|---|---|
726613215a29826a33e96486222ec9ff2ad2c077 | setup_4_0_14_6.exe | installer of ePrica 4.0.14.6 | |
0bb3f466476e241e5da29fe77775f65bbcb337bc | lx01af01.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
9111571131730e127480036420deef6cd8549638 | lx02af02.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
bff77975cfea2439a46db1c0e09c6d42687ae4b3 | lx03af03.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
f1a7f4144220493576f172ef64ce7f0e4a9f1df9 | lx04af04.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
f104d5e3b2fa88c2fcc81aa88e6f3667d4924277 | lx05af05.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
feef00d7e7903cb3b4548b9e9e02df892797fea3 | lx07af07.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
5f7931c88681c0eb807dbd716601eb2b82978918 | lx10af10.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
634ff6e29558c415849d4d1a1f23d406a41f722e | lx10af20.nlb | installer.dll | BackDoor.Dande.2 with the driver isaPnpPrt |
13e3e4f7747476af6016d3a64bbbca74abdb2dbe | lx10af39.nlb | installer.dll | BackDoor.Dande.2 with the driver isaPnpPrt |
8120d603bd2019cc36560bb94f76a4c2bbd7160c | lx11af11.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
45ee755c3210e93db8590dd0b1b120164131798c | lx12af12.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
802b5603c7179c27ce1e6d4fdbfbae6db5bc5d93 | lx14af14.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
0b376df2f722f4b15097a4a357dc5afdea628e77 | lx15af15.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
ea89eaacffa8c38ff31e55caaa8463177a249c1f | lx16af16.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
be921123ed231bcc864c92a5a58353974674d1af | lx18af18.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
8a562438d5fdb18482d5a41f2f17b23da9d2ef77 | lx19af19.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
ca67331a469fc1f91fe5ac5dbb045a022c2f46e9 | lx20af20.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
2392507fa6ff223ad125d42a0e1df28a5959a7b6 | lx20af5.nlb | test_pandora.dll | grabber of price lists for SIA International |
0d6d3ff8f68351a5bef1d5b827974ae8ab796cb7 | lx22af22.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
34a63864b736f2819a9c02689577de74d53a10ea | lx23af23.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
fceb12b591296fcba0ed5dc682cfa168c935c91b | lx24af24.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
90327f60b94f399a9a1718f94611a97b7f4df46d | lx25af25.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
b5d9306d55d8ccc70a8b88e1c863d4fce0987819 | lx26af26.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
744405c3441a6c37f33ac0b85a994f5ac43cbe82 | lx27af27.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
08a6f14da840bddaac8710da9ef11d8e0d983402 | lx30af30.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
1e7271a192c6336848a48d0c327e8c17731e7c89 | lx31af31.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
f85d9cdd4fd883f9bc840bb2af999d0ec75864fd | lx33af33.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
bbba32c25d9212dfd9eaade8f946d5e8fc6fb6c0 | lx37af37.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
e5e7f98a693f79b630ea78f358c4be0f6f3a2296 | lx39af39.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
abc12800a1260c2d5c10d01a51042429b09642e1 | lx40AA0.nlb | Project2.dll | grabber for AHold32.exe, WinPrice.exe, RSFOrder.exe |
784aa1b9f3e450d569f58881df02a6d54fc2b1de | lx40af40.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
503cf82fed9559083ba972e72db6332c2de0488c | lx42af42.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
476900f361a569571d38349c3f4bd32af98d0437 | lx44af44.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
587ed7891b41ae911f80a6c485f0b52bfd504359 | lx50SL1.nlb | rsforder.dll | grabber for AHold32.exe, WinPrice.exe, RSFOrder.exe, tamda.exe |
c06ad7f64afaff90d4da588b64dbea9f524b842a | lx55Gl92.nlb | Project1.dll | grabber for AHold |
4084b8027d876a75cf8fc808ac49ebc60a022424 | lx607cb.nlb | status.dll | collection of information about the system, anti-viruses and check of the installed driver isaPnpPrt.sys of the Dande Trojan |
4d1bd71913abe85bc1a86e3abaca1a450cd0ff41 | fe.emd | FE.dll | grabber of price lists |
a1c9de6599ee6b505de15aba65fc26401dea9a1a | gci.emd | gci.dll | AHold32.exe, Dongos_Client.exe, Alliance Healthcare Russia, WinPrice.exe, FM_Client.exe, RSFOrder.exe, tamda.exe |
63a18cf6c11a8b073f9646d73ab8ec3f794380e5 | lx98fc01.emd | fac.dll | grabber of price lists |
d88e6ffabf52b4c8d27ad8f0da91889309408e76 | lx99ia01.emd | ifc.dll | grabber of price lists |
21b0e95f93fdb4c008245417f0897fbcec3acb28 | rwj.emd | rwj.dll | RUSSM |
471ca3f6af4bc04d878241aaa1f01a8f494c46e7 | san2.emd | San.dll | grabber szpost.dbf, sztovar.dbf, NSZPOSTID |
37eaba2de2b16b23fe99eac4492ea7c86df0e3ef | see.emd | ke.dll | WinPrice.exe |
24d51713e45b944ed288f211b102028b0759e0ff | runmod.exe | module of decryption and launch of plug-ins from the memory | |
7002f14f42d315f41e4d52d0befbdfd22374cbb5 | emd.kst | private key protected with a password |
Digital signature of the file runmod.exe:
SHA1: | File name | DLL name after decryption | Description |
---|---|---|---|
4d4e86391c04029604e90da62f73ed6ab6af3dbd | dkny.emd | dkny.dll | grabber for gaz.exe |
4d1bd71913abe85bc1a86e3abaca1a450cd0ff41 | fe.emd | FE.dll | grabber of price lists |
d0948749bd8164ca9ff11cee0a943b77f5545db5 | gci.emd | gci.dll | AHold32.exe, Dongos_Client.exe, Alliance Healthcare Russia, WinPrice.exe, FM_Client.exe, RSFOrder.exe, tamda.exe |
ec1ebec5d396a669cac4b54f0c34f95995389d8f | gcif.emd | gcif.dll | grabber of price lists |
86af6fcf21a5894f104bc5fc1566b829725e71b9 | gep.emd | ge.dll | grabber of price lists |
ac479abdfd94aa56d843f96b20f792d85956c4bc | kep.emd | grabber for WinPrice.exe | |
145190fe0abaef753c8383e641011b8bc4fd6992 | lx01af01.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
9a23565402457428973689377b454cb495504aab | lx01rwk.nlb | rwk.dll | grabber RUSSM |
400068f63b58f84c5e186aa3bf999d9194c75299 | lx01tu01.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
ea11e708f5a3193173253ecfadfffba31fc4b3f2 | lx05af05.nlb | installer.dll | BackDoor.Dande.2 with the driver RpcSsPrt |
d77111608915a0e7ba1f6b5549907eab274c68b1 | lx10af1.nlb | starter.dll.dll | Win32.Dande (first version) |
2392507fa6ff223ad125d42a0e1df28a5959a7b6 | lx20af5.nlb | test_pandora.dll | grabber of price lists for SIA International |
18b61504cd2eb7c53ad5adcedc677cc81fa5bcef | lx20df5.nlb | test_pandora.dll | grabber of price lists for siacli |
34b81b0b0bb71114635de01cf62a952bbd6e8a10 | lx40AA0.nlb | Project2.dll | grabber for AHold32.exe, WinPrice.exe, RSFOrder.exe |
2c98831cfb73a7ae90420dfb9cfdbfe1f71d5ab2 | lx50SL1.nlb | rsforder.dll | grabber for AHold32.exe, WinPrice.exe, RSFOrder.exe, tamda.exe |
db28824564fc0a3a47dbfed415b80ed127240d9a | lx55Gl92.nlb | Project1.dll | grabber for AHold |
66336f359ed04648a12b8537a9507ac3c15ebdd2 | lx607cb.nlb | status.dll | collection of information about the system and anti-viruses, check of the installed driver isaPnpPrt.sys of the Dande Trojan |
31ad2082d21f9cef17de6ab052886406f848fe66 | lx61af01.nlb | pmd.dll | grabber of price lists |
a1c9fbb3366fec6ad107e0a8daec54fb004c9f18 | lx63zf01.emd | lx63zf01.dll | grabber of price lists for FClient.exe |
15f348d73b41933c875374841028403c6c7d7d6c | lx99ia01.emd | ifc.dll | grabber of price lists |
8b2f26f2ddd0e0e0ebc1f1490f3152e8c1857264 | rwj.emd | rwj.dll | RUSSM |
37eaba2de2b16b23fe99eac4492ea7c86df0e3ef | see.emd | ke.dll | WinPrice.exe |
3bc30284dd5285f186dcd29ebf601442f1a4d4bb | zakaz.exe | decrypts plug-ins in the memory and launches them, it is a client part of the program | |
7002f14f42d315f41e4d52d0befbdfd22374cbb5 | emd.kst | private key protected with a password | |
b70ef72af2374fec42fa16ea84620f9503880c61 | DataCollector.dll | oradc32.dll | grabber of price lists from the 1C databases (BackDoor.Dande.62) |
Digital signature of the file zakaz.exe:
Trojan files detected as BackDoor.Dande.63 – BackDoor.Dande.159.
Component of the eZakaz application that decrypts its plug-ins using the private key emd.kst and launches them in RAM. It also works with the eZakaz database.
Component of the ePrica application that decrypts its plug-ins using the private key emd.kst and launches them in RAM. After detection of the key password (“flatron2005”), security researchers were able to decrypt these plug-ins.
Plug-in that copies information about medication procurement from the 1C database. To determine the database location, it uses the following thread of the system registry:
[HKEY_CURRENT_USER\Software\1C\1Cv7\7.7\Titles]
Scans directories and searches them for databases with the following names: 1Cv7.MD and 1Cv7.DD. If they are detected, it searches them for the TaskItem key and checks the availability of the word “pharma”. The plug-in saves information on the path to the found databases.
It also tries to find databases called RA844.DBF and RA1227.DBF. If they are detected, it performs their syntactic analysis (parsing).
It saves a report to the file oradc32.st that is compressed by the zlib library.
After removal of ePrica, the Trojan modules remain on the infected computer and continue their operation.
Según las estadísticas, cada quinto programa para el SO Android tiene vulnerabilidades, lo cual les permite a los malintencionados implementar los troyanos móviles en el dispositivo y realizar las acciones necesarias.
Auditor de seguridad en Dr.Web para Android diagnosticará y analizará la seguridad de un dispositivo móvil, ofrecerá soluciones para resolver los problemas y las vulnerabilidades encontrados.