Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising

Trend Micro -

SHA256

File name

Note

Analysis

124FE26D53E2702B42AE07F8AEC5EE4E79E7424BCE6ECDA608536BBF0A7A2377

oneroom_setup.zip

Malicious game archive

Trojan.Win32.SHELLOAD.AZ

E667F9C109E20900CC8BADD09EDE6CDCE0BDC77164CFD035ACE95498E90D45E7

oneroom_game.zip

Malicious game archive

Trojan.Win32.SHELLOAD.AZ

93FFE7CF56FEB3FB541AEF91D3FC04A5CF22DF428DC0B7E5FEB8EDDDC2C72699

Magicalgirl.zip

Malicious game archive

Trojan.Win32.SHELLOAD.AZ

AD13BB18465D259ACC6E4CEBA24BEFF42D50843C8FD92633C569E493A075FDDC

kiplayer.zip

Malicious streaming archive

 Trojan.Win32.SHELLOAD.BA

A9EF18B012BD20945BB3533DEEC69D82437BF0117F83B2E9F9E7FACC5AA81255

oneroom_game_v7.zip

Malicious game archive

Trojan.Win32.SHELLOAD.AZ 

6C1F4FFA63EE7094573B0F6D1BD51255F603BC8958757405C8C998416537D587

Xjs.dll

First shellcode loader

Trojan.Win32.SHELLOAD.AZ

1366E2AC6365E4B76595A19760438D876E01DB40C60EC3F42849F0218B724F1B

Xjs.dll

First shellcode loader

Trojan.Win32.SHELLOAD.AZ

0B3E5E2406490DF17A198A8340B103BB331A5277461234F3F90ED257E418C1F8

Xjs.dll

First shellcode loader

Trojan.Win32.SHELLOAD.AZ

3E0FAEE93F6EF572537735C7F2D82D151C5A21EB30EACC576B3B66320C74FD34

format.cfg

Encrypted shellcode

Trojan.Win32.SHELLOAD.AZ.enc

DB6CBE4EE82F87008B34D1D4E9AA6EE3C9CCD21CB7A0B60925D5DA8D1295A269

format.cfg

Encrypted shellcode

Trojan.Win32.SHELLOAD.AZ.enc 

3B7FB5EC8180AD74871EB9F5B59E6E98A188CE84BA3BD6ADD9B4BCFCCB80C137

format.cfg

Encrypted shellcode

Trojan.Win32.SHELLOAD.AZ.enc

52E2B9CBA4E1BEE1EB3ED9D03BC33EADB6C8D6AAC8598679AA95690E587BE7C4

config.dll

Cinobi 1st stage loader; 32bit

Trojan.Win32.CINOBI.A

F5AD9E32A84DF617ABA3786F19BA7DAB4B4BD8A27627232D3AACE760511AEDF7

config.dll

Cinobi 1st stage loader; 32bit

Trojan.Win32.CINOBI.A

45C7C36E7E8B832815D8B03651EDC14F864B52E1C599E5336A1AAA0BD47FF3E3

cfg.config

Encrypted 1st stage of Cinobi; 32bit

 Trojan.Win32.CINOBI.AC

522C59BACE844A3D76B674842373DDBF959FC5B352317B024DBF225F536A641E

cfg.config

Encrypted 1st stage of Cinobi; 32bit

Trojan.Win32.CINOBI.AC  

16AB933AD01D73120EE5B764C12057FF7F6DC3063BBC377CDB87419A30532323

N/A

2nd and 3rd stage loader; 32bit

Trojan.Win32.CINOBI.AC  

9D10AC2A2C7C58F1E1D4B745746AA5F0CE699C0DB87CCCA43418435FAA03AD1B

N/A

2nd stage encrypted; 32bit

Trojan.Win32.CINOBI.AC.enc  

C4039CD7DB24158BE51DA9010E6A367F5253F40F007B656407FB69D279732784

N/A

3nd stage encrypted; 32bit

Trojan.Win32.CINOBI.AC.enc

2A6FE431326ACCAF31EA7CA7CD1214AD5EFCA891619859BCF60671A62C8D81F4

N/A

Cinobi 4th stage (last);

Read More: https://www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html