Trojan.DownLoader26.35042

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe] 'Debugger' = 'rundll32.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe] 'Debugger' = 'rundll32.exe'

Malicious functions:

Injects code into

the following system processes:

%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Modifies file system:

Creates the following files:

%APPDATA%\ZHNTQHT\ZHNTQHT.exe
%APPDATA%\ZHNTQHT\aSSSSS.xml
%TEMP%\5c5a8d8a-d6fa-a2b5-7e59-59755ea72586
%TEMP%\tmp1.tmp

Deletes the following files:

%APPDATA%\ZHNTQHT\aSSSSS.xml

Network activity:

Connects to:

'wp#d':80
'bo#.####ismyipaddress.com':80
'sm##.zoho.com':587

TCP:

HTTP GET requests:

http://11#.#11.111.1/wpad.dat via wp#d
http://bo#.####ismyipaddress.com/

UDP:

DNS ASK wp#d
DNS ASK bo#.####ismyipaddress.com
DNS ASK sm##.zoho.com

Miscellaneous:

Creates and executes the following:

'<Full path to file>'

Executes the following:

'<SYSTEM32>\schtasks.exe' /Create /TN "ZHNTQHT\ZHNTQHT" /XML "%APPDATA%\ZHNTQHT\aSSSSS.xml"
'%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext "%TEMP%\tmp1.tmp"

Демо бесплатно на 14 дней

Выдаётся при установке

Скачать с сайта

Скачать с Google Play

Завантажте
Dr.Web для Android

Безкоштовно на 3 місяці
Всі компоненти захисту
Подовження демо в
AppGallery/Google Pay

Технології

Терміни

Навчання

Міфи

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней