Riskware。iStealer

Short bio

Riskware。iStealer is Malwarebytes’ detection name for a commercial system monitor application distributed by Kizar Labs. Riskware.iStealer may have the capabilities to harvest stored credentials, keystrokes, screenshots, network activity, and more from computers where the software is installed. Riskware.iStealer may covertly monitor user behavior and harvest personally identifiable information including names and passwords, keystrokes from emails, chat programs, websites visited, and financial activity.

Riskware。iStealer may be capable of the covert collection of screenshots, video recordings, or the ability to activate any connected camera or microphone. Collected information may be stored locally and later retrieved, or may be transmitted to an online service or location.

Symptoms

Riskware。iStealer may run as a start-up entry and may be visible as running processes on compromised machines. Alternatively, Riskware.iStealer may also be configured in a manner which prevents visible processes and start-up entries.

Type and source of infection

Riskware。iStealer分布式使用各种可能methods. This software may be packaged with free online software, or could be disguised as a harmless program and distributed by email. Alternatively, this software may be installed by an individual with physical or remote access to the computer.

Protection

Malwarebytes protects users from the installation of Riskware.iStealer.

Malwarebytes detects and removes Riskware.iStealer.

Remediation

Malwarebytes can detect and remove many Riskware.iStealer infections without further user interaction.

1. Pleasedownload Malwarebytesto your desktop.
2. Double-clickMBSetup.exeand follow the prompts to install the program.
3. When yourMalwarebytes for Windowsinstallation completes, the program opens to the Welcome to Malwarebytes screen.
4. Click on theGet startedbutton.
5. ClickScanto start aThreat Scan.
6. ClickQuarantineto remove the found threats.
7. Reboot the system if prompted to complete the removal process.

Malwarebytes removal log

A Malwarebytes log of removal will look similar to this:

必威平台APP
www.malwarebytes.com

-Log Details-
Scan Date: 3/26/18
Scan Time: 11:37 PM
Log File: e5113647-3180-11e8-8224-00ffc8517b86.json
Administrator: Yes

-Software Information-
Version: 3.4.4.2398
Components Version: 1.0.322
Update Package Version: 1.0.4500
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: DE-WIN7\Fwiplayer

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 295863
Threats Detected: 4
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 2 min, 47 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 1
Backdoor.Agent, C:\USERS\FWIPLAYER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\DON.EXE, No Action By User, [1051], [36025],1.0.4500

Module: 1
Backdoor.Agent, C:\USERS\FWIPLAYER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\DON.EXE, No Action By User, [1051], [36025],1.0.4500

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 2
Backdoor.Agent, C:\USERS\FWIPLAYER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\DON.EXE, No Action By User, [1051], [36025],1.0.4500
Trojan.PasswordStealer, C:\USERS\FWIPLAYER\APPDATA\ISTEALER 6.3 LEGENDS.EXE, No Action By User, [3590], [83662],1.0.4500

Physical Sector: 0
(No malicious items detected)

(end)

Traces/IOCs

Associated files:
iStealer.exe