Threat Database Stealers Infostealer.Fightpos


By GoldSparrow in Stealers

The Infostealer.Fightpos malware, as the name suggests, is used by cyber criminals to collect and transmit data from infected PCs to their servers. The Fightpos malware falls in the category of backdoor trojans and is deployed in spam emails as an attached file and may accompany freeware bundles from software centers with a bad reputation. Malware researchers note that the Fightpos trojan can place its files in the Microsoft folder under Application Data to evade detection. Moreover, the Infostealer.Fightpos malware drops two files named 'ActiveComponent.bat' and 'ActiveComponent.exe' in the Temp folder in order to manipulate the Microsft Internet Explorer. The Fightpos trojan then creates a registry entry to make sure users run the corrupted Internet Explorer.exe and collect data like typed URLs, entered log-in credentials and offline web app data. As stated above, the Fightpos malware is a backdoor trojan, and it adds several registry keys concerning group policies and firewall settings in order to allow cyber criminals to connect to the infected machine. Additionally, the Fightpos malware can download and execute files as well as launch DDoS attacks. Security experts advise users to install a reputable anti-malware shield and avoid interaction with spam emails and suspicious websites.

File System Details

Infostealer.Fightpos creates the following file(s):
# File Name Detections
1. %UserProfile%\Start Menu\Programs\Startup\Shortcut to Internet Explorer.lnk N/A
2. %Temp%\ActiveComponent.bat N/A
3. %Temp%\ActiveComponent.exe N/A

Registry Details

Infostealer.Fightpos creates the following registry entry or registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft" = "%UserProfile%\Application Data\Microsoft\InternetExplorer.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"ActiveControl" = "%Temp%\ActiveComponent.bat"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"[PATH OF THE ORIGINAL FILE]" = "[PATH OF THE ORIGINAL FILE]:*:Enabled: Microsoft"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%UserProfile%\Application Data/Microsoft/InternetExplorer.exe" = "%UserProfile%\Application Data\Microsoft\InternetExp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DoNotAllowExceptions" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"UACDisableNotify" = "0"


Tip: We recommend blocking the domain names as well as the IP addresses associated with them.
The following URL's were found:



Most Viewed