Класс: Trojan-PSW
Предназначены для кражи пользовательских аккаунтов (логин и пароль) с пораженных компьютеров. PSW – аббревиатура от Password Stealing Ware («ПО для кражи паролей»). При запуске PSW-троянцы ищут необходимую информацию в системных файлах, хранящих различную конфиденциальную информацию, или реестре. В случае успешного поиска программа отсылает найденные данные «хозяину». Для передачи данных могут быть использованы электронная почта, ftp, web (посредством указания данных в запросе) и другие способы. Некоторые троянцы данного типа воруют регистрационную информацию к различному программному обеспечению. Программы, занимающиеся кражей учетных записей пользователей систем интернет-банкинга, интернет-пейджинга и онлайн-игр, в силу их многочисленности, выделены в отдельные классы: Trojan Banker, Trojan IM и Trojan GameThief соответственно.Подробнее
Платформа: Win32
Win32 - платформа, управляемая операционной системой на базе Windows NT (Windows XP, Windows 7 и т.д.), позволяющей исполнять 32-битные приложения. В настоящее время данная платформа является одной из наиболее распространенных.Семейство: Trojan-PSW.Win32.Stealer
Нет описания семействаПримеры
856CD09D20968B55E5F9B990C17EF6C5780A579BB56F19BD6B9A8FC40BACE3F2
1CAF54AEB6859714FB0D31BCDBD7594E
EDE7F291AB6616E2303CF434DB3BF71F
9A44FE6A87B99EF99C5D6962AD0B7E5D
Тактики и Техники: Mitre*
TA0005
Defense Evasion
The adversary is trying to avoid being detected.
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
T1036.007
Masquerading: Double File Extension
Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex:
Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain Initial Access into a user’s system via Spearphishing Attachment then User Execution. For example, an executable file attachment named
Common file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.
File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension) Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain Initial Access into a user’s system via Spearphishing Attachment then User Execution. For example, an executable file attachment named
Evil.txt.exe may display as Evil.txt to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)Common file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.
* © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.