TrojanPWS.Fareit.gen is a password stealing Trojan that arrives in users inboxes as an attachment under a variety of names including ’Report_[random number]_TRS289.zip. The email has a forged From: address appearing to come from Wells Fargo Bank.
The Trojan contains password stealing abilities and after execution it is coded to look to various websites to download additional malicious files.
The sites include: hxxp://w60xxv1kc.homepage.t-online.de/KYrngX.exe hxxp://bigxxal.my/cXCNeV.exe hxxp://jntecnxxxgiape.com.br/xSkAzk.exe
Please Note: Thirtyseven4 has proactively blocked these targeted domains via our Browser Protection module.
Upon execution, it drops a polymorphic file at the following location: %Appdata%\[randome_folder]\[randomename].exe
Here is an example screenshot:
“Delight yourself in the Lord and he will give you the desires of your heart.” Psalm 37:4
