SCF Advanced Search

  • Total Posts: 40526
  • Total Topics: 14430
  • Online Today: 762
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Author Topic: Hesperus (Evening Star) Shines as Latest ‘Banker’ Trojan  (Read 1970 times)

0 Members and 1 Guest are viewing this topic.


  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Hesperus (Evening Star) Shines as Latest ‘Banker’ Trojan

Hesperus, or Hesperbot, is a newly discovered banker malware that steals user information, mainly online banking credentials. In function it is similar to other “bankers” in the wild, especially Zbot. Hesperus means evening star in Greek. It is very active in Turkey and the Czech Republic and is slowly spreading across the globe.

This sophisticated malware uses of different modules for specific purposes, injects HTML scripts into bank-related websites, stores all modules and data in encrypted form, encrypts its configuration file, uses the Twofish encryption algorithm with an HMAC-SHA512 hash key, employs WinScard.dll to read smart cards, and communicates with its control server over SSL. It also uses the current standard technique of injecting its entire code into attrib.exe and then into explorer.exe. Thus its communications appear to be from the legitimate file explorer.exe.

I analyzed a recent binary, compiled on September 2, and found that its control server is very active. The main binary is custom packed. After unpacking, it contains a string suggesting dropper_x86.bin is its original name:

• MD5: 72AD2AF02C98068DE5FD9F9AE2C5B750. Compiled Date: Monday, Sep. 2, 2013, 11:18:20

Dropper_x86.bin contains two binaries specific to the operating system:

• Core_x86.bin for 32-bit OS. MD5: 524C3F6F5D6968557AB000B920D42D9E. Compiled Date: Monday, Sep. 2, 2013, 10:46:05

• Core_x64.bin for 64-bit OS. MD5: 5D7E115CD6269FDDFB75AE76E5D5221A. Compiled Date: Monday, Sep. 2, 2013, 10:46:16  – 64 Bit EXE

These binary files have one export function, “_hesperus_core_entry,” hence the bot name.

Following strings suggest possible geographic locations for infections:

("click the images to make them larger")

The main binary unpacking code:

This code starts attrib.exe in a suspended state and injects its code. It drops a few files into the %APPDATA% directory as .dat and .bkp files.

User information such as computer name/username, encryption key, main binary file, downloaded malicious modules, and configuration file are stored in a different .dat.

The .bkp files are backup files for .dat files.

Data in  .dat and .bkp files is encrypted using the Twofish encryption algorithm with an HMAC-SHA512 hash key.

After injecting code into explorer.exe, the malware connects to its control server using HTTPS to evade general antimalware detection. Its communications appear to come from the legitimate explorer.exe system file. Moreover, the domain names of the control servers appear to be legitimate domain WHOIS service requests. Using valid SSL traffic makes the malware even harder to detect.

Using SSL, the Trojan downloads other malicious modules from its control server. These are used to hide virtual network computing, and for keylogging, screen recorder, smart card reader, socket secure protocol proxy, etc.

These modules are:

• hvnc_mod_x86.mod

• keylog_mod_x86.mod

• sch_mod_x86.mod

• socks_mod_x86.mod

The malware communicates with other legitimate websites such as,,, etc.

The associated control server domains:




Another variant downloads other malware from a different URL and collects and sends user email addresses to

MD5: A79D1E01A05C262DC0A8DA5C577CAF89. Compiled Date: Thursday, Aug. 29, 2013, 9:01:08

Another variant (MD5: 4107E4C91B197C483C320DA13EF27F95. Compiled Date: Monday, Sep. 2, 2013, 11:12:21) sends infection information using POST to

Original article: Friday, September 6, 2013 at 2:00pm by Vikas Taneja
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing !,8405.msg21475.html#msg21475

Samker's Computer Forum -


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising