Felipe Infostealer Trojan

The Zscaler ThreatLabZ team came across a new strain of infostealer Trojan called Felipe, which silently installs itself onto a user’s system and connects to a command-and-control (C&C) server to send system information from the compromised system.

This malware is compiled for both 32-bit and 64-bit Windows operating systems. Felipe basically steals the victim’s debit and credit card information and sends it, along with other personal information, to the remote C&C server. It also sets a date and time to perform other malicious activity upon successful infection of the victim machine.

Felipe uses process memory dumps to obtain raw user data, it then applies an algorithm to this data to identify payment card information as well as verify it is legitimate. This information is then sent to a command and control server using an Triple Data Encryption Standard (3DES) algorithm.

Indicators of Compromise

URLs

  • 192.99.215[.]95/uploads
  • Inmemory[.]tech

Filenames

  • down.exe
  • explorer32.exe
  • install2.bat
  • vshost.exe

MD5 File Hashes

  • 15CE8F849FFF4CC8675900EC838A93F9
  • 61B06E49D514F3DC5BE4F4EF08F6B43C
  • 7D016A3BB29904A6E00161694FC6AB4E
  • D912771C8CD5720AD835E08EB80A77B6

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: