Fareit troyan sent by mail that steals passwords from FTP services and browsers


This report presents the analysis of a variant of the Fareit family. This malware has characteristics of dropper because it contains a malicious batch script that is created and executed on the infected computer, and of spyware, as it collects information of the accounts stored on the FTP applications, browsers and email clients of the users without their consent.



The malware discussed in this report was sent by a colleague, who told us that the sample had been collected by a FireEye appliance of his company and that, at the time of sending it to the Malware Analysis Team of UNAM-CERT, was detected as malicious by few antivirus engines.

Below are some details of the sample “ORD 119076 AAB-6674 KARAK-096.exe”:


MD5 Hash: e50372a14010dbba9260914597c615d5

SHA1: 4a52dfea387bfec400927c81280f6a84174659f1

SHA256: 3fc642a5908d7f25880290b43f795ba4cda120440743b12631df94de6f661875

Packed: No


The VirusTotal report can be found on this link.



After executing the sample, the following process tree was created:

ORD 119076 AAB-6674 KARAK-096.exe





File System Activity

The sample creates a file with “bat” extension and a name formed by 7 or 8 random numbers on the path C:\Users\<usuario>\AppData\Local\Temp\. Each time the sample is executed it creates the same file but with a different name, as observed on the image below:


This file contains a cycle that repeats until the file which name is stored in %1 gets deleted. %1 is the first parameter passed to the bat file by command line. It then tries to delete the file referenced by %0, which contains the name of the bat file, i.e., it attempts to delete itself.


On the following image it can be observed that is the process cmd.exe the one that executes the bat file and that it passes as parameter the path of the file svchost.exe. In other words, the script tries to delete the file C:\Windows\system32\svchost.exe and then itself, as mentioned above.



It also creates two temporal files in C:\Users\<user>\AppData\Local\Temp and copies the content of the first file into the second.


The trojanized process svchost.exe makes a recursive search in the directories C:\Users\<user>\AppData\Roaming\ and C:\ProgramData trying to find the FTP applications installed on the computer.


It also attempts to get the files that contain the passwords stored by the user related to the following applications:

* E-mail

  • Windows Mail
  • Becky Internet Mail
  • PocoMail
  • Bat! Mail
  • Outlook


* Browsers

  • Bromium
  • Nichrome
  • Comodo Dragon
  • RockMelt


Windows Registry Activity

The sample creates the following registry key during its installation:


And continues the search of installed FTP software on the registry keys.


The full list of applications searched by this malicious program is below:

CuteFTP 6 Home VanDyke Software FTP Server de RhinoSoft
CuteFTP 6 Professional FTP Rush LeechFTP
CuteFTP 7 Home Web Site Publisher by Brian FTPGetter
CuteFTP 7 Professional Cryer ALFTP
CuteFTP 8 Home BitKinex AceFTP de Visicom Media
CuteFTP 8 Professional ExpanDrive BlazeFtp
FlashFXP 3 Classic FTP FTP++
FlashFXP 4 Fling File Transfer 3D-FTP
FileZilla Client FTP Client NetSarang
Bullet Proof FTP Directory Opus Robo-FTP 3.7
SmartFTP LeapFTP LinasFTP
TurboFTP WinSCP Cyberduck
Sota FFFTP 32BitFtp Putty
CoffeeCup Software NetDrive NppFTP
FTPWare WebDrive FTP Client FTPInfo
FTP Explorer WISE FTP de AceBIT WinZip FTP
Frigate 3 Opera FTP Clients  


Once it discovers that a program on the list is installed, it searches recursively on the subkeys, trying to obtain data such as: passwords, usernames, hostnames, user names, ports, etc.


It also looks for the path of the Mozilla Firefox executable on the value stored by PathToExe in the subkey HKLM\SOFTWARE\Mozilla\Firefox.


The sample checks the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Url History\ and the value in DaysToGo to know the amount of days that the website history must be kept before being deleted. And the browsing history in the file %systemdir%\Users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files\index.dat


It also searches for the Internet Explorer passwords stored because of the autocomplete function on the subkey HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2.


And the user certificates stored in C:\Users\<user>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\. The name of each file corresponds to its SHA1 hash.



Network Activity

The sample makes GET requests to the domains ocsp.verisign.com, sf.symcd.com, sf.symcb.com and crl.verisign.com to download files with the extension “crl” (Certificate Revocation List).


These certificates, according to this Microsoft Technet site, were issued by different CAs for software developers around the world and are used by some variants of the Fareit family.


In this case, the sample contained a certificate supposedly signed by “TeamViewer” and on the countersigned, which guarantees the certificate, indicated that the signer was “Symantec Time Stamping Services Signer”.


As mentioned on the previous section, this sample consults the certificates stored in C:\Users\<user>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\, possibly with the intention of making copies and sending them to its C&C (Command and Control) to validate new Fareit variants.



Command & Control

The malicious sample attempts to contact its C&C to send the collected data through a POST request to the URL onxxxxxxember.3eeweb.com.


The following image showsthe connection established by the infected system to the IP address of the C&C server on port 80.



Static Analysis

The sampleonly calls the function _CorExeMain from the library MSCorEE.dll (Microsoft Component Execution Engine runtime object). In a .NET executable, the sample sends its entry point to the _CorExeMain function and, after loading the CLR (Common Language Runtime), walks over the program’s metadata and executes the CLR entry point.


After decompiling the sample with dotPeek, it was observed that the sample was obfuscated using complex names for the variables and the functions to difficult its analysis.