[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"wscntfx" = "% filepath%"
with% filepath% is the full path of the main activation file. Besides, they also interfere with editing the values of the following Registry key:
[HKÑUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsUser
AgentPost Platform]
"Embedded Web Browser from: http://bsalsa.com/" = ""
Delete the following Registry keys:
[HKEY_CLASSES_ROOTCLSID {2E3C3651-B19C-4DD9-A979-901EC3E930AF}]
[HKEY_CLASSES_ROOTCLSID {3F888695-9B41-4B29-9F44-6B560E464A16}]
[HKEY_CLASSES_ROOTCLSID {9EC30204-384D-11D3-9CA3-00A024F0AF03}]
Payload process
When enabled, they will automatically download the configuration file from:
http://juliana9090v.dominiotemporario.com/configex.txt
And compare with the current state of the victim's computer, and make the appropriate changes. They will then control all active browsers. When a user accesses a specific address, they immediately collect all user-defined information and fill in the forms available on that website. They pay special attention to the following two addresses:
www.bradesco.com.br
https://www2.realsecureweb.com.br
Besides, they also store data and numbers related to their credit cards on different websites. And these data are transferred to the hacker's mailbox address or the email specified in the configuration file - previously downloaded.
They use SMTP servers to send email:
smtp.tutopia.com.br