Trojan.Siggen10.30602

Added to the Dr.Web virus database: 2020-09-26

Virus description added: 2020-09-28

Technical Information

Malicious functions

Injects code into

the following system processes:

%WINDIR%\microsoft.net\framework\v4.0.30319\regasm.exe

Reads files which store third party applications passwords

%LOCALAPPDATA%\google\chrome\user data\default\login data
%LOCALAPPDATA%\google\chrome\user data\default\cookies
%LOCALAPPDATA%\google\chrome\user data\default\web data
%APPDATA%\opera software\opera stable\login data
%HOMEPATH%\desktop\aoc_saq_d_v3_merchant.docx
%HOMEPATH%\desktop\applicantform_en.doc
%HOMEPATH%\desktop\glidescope_review_rev_010.docx
%HOMEPATH%\desktop\lisp_success.doc
%HOMEPATH%\desktop\nwfieldnotes1966.docx
%HOMEPATH%\desktop\sdszfo.docx
%HOMEPATH%\desktop\uep_form_786_bulletin_1726i602.doc
%HOMEPATH%\desktop\weeklysheet1215.doc

Modifies file system

Creates the following files

%TEMP%\tmp5f9.tmp
%TEMP%\tmp798.tmp
%TEMP%\tmp797.tmp
%TEMP%\tmp796.tmp
%TEMP%\tmp795.tmp
%TEMP%\tmp794.tmp
%TEMP%\tmp783.tmp
%TEMP%\tmp782.tmp
%TEMP%\tmp781.tmp
%TEMP%\tmp780.tmp
%TEMP%\tmp77f.tmp
%TEMP%\tmp77e.tmp
%TEMP%\tmp76e.tmp
%TEMP%\tmp76d.tmp
%TEMP%\tmp76c.tmp
%TEMP%\tmp76b.tmp
%TEMP%\tmp76a.tmp
%TEMP%\tmp759.tmp
%TEMP%\tmp758.tmp
%TEMP%\tmp757.tmp
%TEMP%\tmp756.tmp
%TEMP%\tmp755.tmp
%TEMP%\tmp799.tmp
%TEMP%\tmp79a.tmp
%TEMP%\tmp7aa.tmp
%TEMP%\tmp7ab.tmp
%TEMP%\tmp82f.tmp
%TEMP%\tmp80e.tmp
%TEMP%\tmp7fe.tmp
%TEMP%\tmp7ed.tmp
%TEMP%\tmp7ec.tmp
%TEMP%\tmp7eb.tmp
%TEMP%\tmp7ea.tmp
%TEMP%\tmp7e9.tmp
%TEMP%\tmp7e8.tmp
%TEMP%\tmp7d8.tmp
%TEMP%\tmp7d6.tmp
%TEMP%\tmp7d7.tmp
%TEMP%\tmp7d5.tmp
%TEMP%\tmp7d4.tmp
%TEMP%\tmp7d3.tmp
%TEMP%\tmp7c2.tmp
%TEMP%\tmp7c1.tmp
%TEMP%\tmp7c0.tmp
%TEMP%\tmp7bf.tmp
%TEMP%\tmp7be.tmp
%TEMP%\tmp7ad.tmp
%TEMP%\tmp7ac.tmp
%TEMP%\tmp830.tmp
%TEMP%\tmp744.tmp
%TEMP%\tmp743.tmp
%TEMP%\tmp742.tmp
%TEMP%\tmp6b9.tmp
%TEMP%\tmp6b8.tmp
%TEMP%\tmp6a8.tmp
%TEMP%\tmp6a7.tmp
%TEMP%\tmp696.tmp
%TEMP%\tmp695.tmp
%TEMP%\tmp694.tmp
%TEMP%\tmp683.tmp
%TEMP%\tmp682.tmp
%TEMP%\tmp681.tmp
%TEMP%\tmp671.tmp
%TEMP%\tmp670.tmp
%TEMP%\tmp65f.tmp
%TEMP%\tmp65e.tmp
%TEMP%\tmp65d.tmp
%TEMP%\tmp64d.tmp
%TEMP%\tmp63c.tmp
%TEMP%\tmp63b.tmp
%TEMP%\tmp63a.tmp
%TEMP%\tmp639.tmp
%TEMP%\tmp609.tmp
%TEMP%\tmp6ba.tmp
%TEMP%\tmp6bb.tmp
%TEMP%\tmp6cc.tmp
%TEMP%\tmp6cd.tmp
%TEMP%\tmp731.tmp
%TEMP%\tmp730.tmp
%TEMP%\tmp72f.tmp
%TEMP%\tmp72e.tmp
%TEMP%\tmp72d.tmp
%TEMP%\tmp71c.tmp
%TEMP%\tmp71b.tmp
%TEMP%\tmp71a.tmp
%TEMP%\tmp70a.tmp
%TEMP%\tmp709.tmp
%TEMP%\tmp707.tmp
%TEMP%\tmp708.tmp
%TEMP%\tmp6f6.tmp
%TEMP%\tmp6f5.tmp
%TEMP%\tmp6f4.tmp
%TEMP%\tmp6f3.tmp
%TEMP%\tmp6f2.tmp
%TEMP%\tmp6e1.tmp
%TEMP%\tmp6e0.tmp
%TEMP%\tmp6df.tmp
%TEMP%\tmp6de.tmp
%TEMP%\tmp6ce.tmp
%TEMP%\tmp741.tmp
nul

Deletes the following files

%TEMP%\tmp609.tmp
%TEMP%\tmp76a.tmp
%TEMP%\tmp76c.tmp
%TEMP%\tmp76e.tmp
%TEMP%\tmp77f.tmp
%TEMP%\tmp781.tmp
%TEMP%\tmp783.tmp
%TEMP%\tmp795.tmp
%TEMP%\tmp797.tmp
%TEMP%\tmp799.tmp
%TEMP%\tmp7aa.tmp
%TEMP%\tmp7ac.tmp
%TEMP%\tmp7be.tmp
%TEMP%\tmp7c0.tmp
%TEMP%\tmp7c2.tmp
%TEMP%\tmp7d4.tmp
%TEMP%\tmp7d6.tmp
%TEMP%\tmp7d8.tmp
%TEMP%\tmp7e9.tmp
%TEMP%\tmp7eb.tmp
%TEMP%\tmp7ed.tmp
%TEMP%\tmp7fe.tmp
%TEMP%\tmp80e.tmp
%TEMP%\tmp82f.tmp
%TEMP%\tmp758.tmp
%TEMP%\tmp830.tmp
%TEMP%\tmp756.tmp
%TEMP%\tmp742.tmp
%TEMP%\tmp63a.tmp
%TEMP%\tmp63c.tmp
%TEMP%\tmp65d.tmp
%TEMP%\tmp65f.tmp
%TEMP%\tmp671.tmp
%TEMP%\tmp682.tmp
%TEMP%\tmp694.tmp
%TEMP%\tmp696.tmp
%TEMP%\tmp6a8.tmp
%TEMP%\tmp6b9.tmp
%TEMP%\tmp6bb.tmp
%TEMP%\tmp6cd.tmp
%TEMP%\tmp6de.tmp
%TEMP%\tmp6e0.tmp
%TEMP%\tmp6f2.tmp
%TEMP%\tmp6f4.tmp
%TEMP%\tmp6f6.tmp
%TEMP%\tmp708.tmp
%TEMP%\tmp70a.tmp
%TEMP%\tmp71b.tmp
%TEMP%\tmp72d.tmp
%TEMP%\tmp72f.tmp
%TEMP%\tmp731.tmp
%TEMP%\tmp744.tmp
%WINDIR%\microsoft.net\framework\v4.0.30319\regasm.exe

Network activity

TCP

HTTP GET requests

http://ch#####.amazonaws.com/
http://www.ge###ugin.net/json.gp?ip###############

HTTP POST requests

http://45.##.183.212:35253/IRemotePanel via 45.##.183.212

'ap#.ip.sb':443

'wh###.iana.org':43

'WH###.RIPE.NET':43

UDP

DNS ASK ap#.ip.sb
DNS ASK ch#####.amazonaws.com
DNS ASK wh###.iana.org
DNS ASK WH###.RIPE.NET
DNS ASK ge###ugin.net

Miscellaneous

Executes the following

'%WINDIR%\microsoft.net\framework\v4.0.30319\regasm.exe'
'%WINDIR%\syswow64\cmd.exe' /C ping 127.0.0.1 -n 3 > nul &del "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
'%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 3

Your browser is obsolete!

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial

Doctor Web in social networks

For Telegram

Other Dr.Web resources