Trojan-PWS:W32/Fareit

Classification

Malware

Trojan-PWS

W32

Trojan.Fareit.[variant], Trojan.PWS.Fareit.[variant]

Summary

Fareit is a password and credential stealer, it sends these collected information to a compromised server.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Propagation

The password stealer module used by Fareit is delivered through a multi-stage trojan downloader. This downloader typically infiltrates a system via an attachment in a malicious email.

The stealer module arrives as an .exe or a .dll file, and is later launched by the same downloader module that it came with.

Behavior

Anti-analysis:

Fareit queries the Process Environment Block (PEB) structure and checks if the process is being debugged. If debugging does take place, the target address will be overwritten with invalid value, causing access violation exception when it is called upon.

Stealer:

Upon execution, Fareit will proceed to collect usernames and passwords stored on particular applications.

It looks for applications associated with the following programs:

  1. File Transfer Protocol (FTP)
  2. Web browser
  3. Email exchange
  4. System utilities
  5. Microsoft cached passwords
    • Remote Desktop Protocol (RDP) stored credentials
    • Internet Explorer (IE) Credential Manager

These collected information will be encrypted first before they are transmitted to a compromised server.

Payload Delivery:

Certain variants of Fareit is capable of downloading additional malware payload.

Password Brute-forcing:

This malware enumerates active user and carries out brute forcing capabilities based on the password list it has.
After successfully logging in, it will then proceed to execute its password stealer function.

Others:

Some variant of Fareit may also imitate other RDP utilities’ mutexes to mask its execution in the background. Once the execution is completed, it will delete itself.

POC Network:
  • hxxp:// ds8sd2q5-001-site1 .ftempurl .com/online /gate.php
  • hxxp:// ds8sd2q5-001-site1 .ftempurl .com/online /file.exe
  • hxxp:// soflynote .com/mlu /forum.php
  • hxxp:// enaningonrigh .ru/mlu /forum.php
  • hxxp:// thetymirop .ru/mlu /forum.php
Password List

000000

1

1111

11111

111111

11111111

112233

123

123123

123321

1234

12345

123456

1234567

12345678

123456789

1234567890

123abc

123qwe

1q2w3e

1q2w3e4r

222222

55555

654321

666666

7777

7777777

a

aaaaaa

abc123

adidas

admin

amanda

andrew

angel

angel1

angels

anthony

apple

asdf

asdfasdf

asdfgh

ashley

asshole

monkey

mother

muffin

mustang

mustdie

mylove

myspace1

nathan

nicole

nintendo

none

nothing

nothingginger

onelove

online

orange

pass

passw0rd

password

password1

peace

austin

baby

bailey

banana

bandit

baseball

batman

benjamin

billgates

biteme

blabla

blahblah

blessed

blessing

blink182

bubbles

buster

canada

cassie

charlie

cheese

chelsea

chicken

chris

christ

church

cocacola

compaq

computer

cookie

cool

corvette

creative

dakota

dallas

daniel

danielle

david

destiny

dexter

diamond

digital

dragon

eminem

peaches

peanut

pepper

phpbb

pokemon

poop

power

praise

prayer

prince

princess

purple

qazwsx

qwert

qwerty

qwerty1

rachel

rainbow

red123

richard

robert

rotimi

emmanuel

enter

faith

flower

foobar

football

football1

forever

forum

freedom

friend

friends

fuckoff

fuckyou

fuckyou1

gates

gateway

genesis

george

gfhjkm

ghbdtn

ginger

god

google

grace

green

guitar

hahaha

hallo

hannah

happy

hardcore

harley

heaven

hello

hello1

helpme

hockey

hope

hotdog

hunter

ilovegod

iloveyou

iloveyou!

samantha

sammy

samuel

saved

scooby

scooter

secret

shadow

shalom

silver

single

slayer

smokey

snoopy

soccer

soccer1

sparky

spirit

startrek

starwars

stella

summer

iloveyou1

iloveyou2

internet

james

jasmine

jason

jasper

jennifer

jessica

jesus

jesus1

john

john316

jordan

jordan23

joseph

joshua

junior

justin

killer

kitten

knight

letmein

london

looking

love

lovely

loving

lucky

maggie

maggietrinity

master

matrix

matthew

maverick

maxwell

merlin

merlingoogle

michael

michelle

mickey

microsoft

mike

sunshine

superman

taylor

test

testing

testtest

thomas

thunder

tigger

trinity

trustno1

victory

viper

welcome

whatever

william

windows

winner

wisdom

zxcvbnm

Target FTP apps

FTP

Far

Far2

WS_FTP

CUTEFTP 6, 7, 8

FlashFXP

FTP Navigator

FTP Commander

SmartFTP

FlashFXP

Bullet Proof FTP

TurboFTP

FFFTP

Direct FTP

Free FTP

COREFTP

FTP Explorer

UltraFXP

FTPRush

BitKinex

WebSitePublisher - Cryer

ExpanDrive

ClassicFTP

Fling

FTPClient

32BitFtp

NetDrive

South River Technologies - WebDrive

FTPCON

FTP CONTROL

WISEFTP

FTP Voyager

FIRE FTP

Odin Secure FTP Expert

WinFTP

FTPGetter

ALFTP

Martin Prikryl WinSCP

DeluxeFTP

Staff-FTP

ACE FTP

Global Downloader

FreshFTP

BlazeFtp

LeechFTP

NppFTP

GoFTP

3D-FTP

EasyFTP

NetSarang - XFTP

FTPNow

Robo-FTP 3.7

LinasFTP

Cyberduck

SimonTatham - PuTTY

FTPShell

FTPInfo

Nico Mak Computing - WinZip - FTP

My FTP

NovaFTP

FastTrack FTP

Web Browsers

Bromium

Chrome/ Chromium

ChromePlus

Comodo

Epic

Firefox

Flock

FastStone Browser

K-Meleon

Nichrome

Opera

RockMelt

Email Exchange

SeaMonkey

Yandex

Windows Live Mail

Becky! Internet Mail

Pocomail

IncrediMail

BatMail

The Bat!

Outlook

Thunderbird

Utilities

Windows Commander

Total Commander

Frigate3

Directory Opus

NexusFile

Adobe

Password Storage

Microsoft_WinInet

  • abe2869f-9b47-4cd9-a358-c22904dba7f7

RDP Password Storage - TERMSRV/*

  • {74FF1730-B1F2-4D88-926B-1568FAE61DB7}

Analysis on files:

  • ba8558822eab7f463aa938598592c07fda191fe8
  • 1ec560e7b309ddab218cea844b207d2edd098841

Analysis by: M. Oliveros

Date Created: 27 June 2019

Date Last Modified: -