Trojan.DownLoader41.10783

Добавлен в вирусную базу Dr.Web: 2021-08-13

Описание добавлено: 2021-08-14

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

<SYSTEM32>\tasks\firefox default browser agent 28423bdb6c56ea53
%APPDATA%\microsoft\windows\start menu\programs\startup\svchostsw.exe

Malicious functions

Searches for windows to

detect analytical utilities:

ClassName: 'RegmonClass', WindowName: ''
ClassName: 'FilemonClass', WindowName: ''
ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''

Modifies file system

Creates the following files

%APPDATA%\ewafvws
%APPDATA%\ciecdsu
%TEMP%\8e0c.exe
%ALLUSERSPROFILE%\runtimebroker.exe
%TEMP%\9933.exe
%TEMP%\a6db.exe
%TEMP%\s.bat
C:\reviewbrokercrtcommon\94dfcaertmmvx.bat
C:\reviewbrokercrtcommon\reviewbrokercrtcommonsessionperfdll.exe
C:\reviewbrokercrtcommon\kb5vrhbv.vbe
%TEMP%\ccf2.exe
%TEMP%\a6db.exe.pid
%TEMP%\81f.exe
%TEMP%\1efa.exe

Sets the 'hidden' attribute to the following files

%APPDATA%\ewafvws
%APPDATA%\ciecdsu

Deletes itself.

Network activity

Connects to

'91.##1.19.52':80
'da####esort.co.in':80
're####iptop.com.au':443
'ka####ndavetiye.com':80
'or##nfo.net':443
'al####cbasket.com':80
'he###hypills.co':80
'un#.org.pk':443
'ke#####tmealplans.org':80
'sh##ava.com':80
'br####and-forum.org':443
'gu#n.mx':443
'ea####inttours.com':443
'vo#####lex-eersel.nl':443
'on####fotokopi.com':443
'ma###try.com':443
'si####agasinet.no':443
'al###uela.com':443
'po####fortmyers.com':443
'ni######schrysoloras.com':443
'de#######-charenton-le-pont.fr':80
'li###artner.no':443
'ad###msp.com':443
'sc####devalori.ro':443
'st#####aidonline.com':443
'de##p.com':80
'hu###vps.com':80
'do###ub.co.za':80
'an###.com.au':443
'ha####kamara.com':443
'vo####museum.com':443
'ho####ubustup.com':443
'id####lispiscine.it':443
'19#.#6.146.22':47861
'in###frigo.it':443
'lo#####lleyalacarte.com':80
'mo#####flexrotary.org':443
'ea####rkmall.com':80
'ds#.com.co':443
'sm##een.com':80
'ki####eyholgate.com':443
'ea####ay-outlet.com':443
'te####velocidad.es':443
'gr##n.al':443
'su####.remap.org.uk':443
'te#####ssicsuzuki.media':443
'zi###ool.com':443
'am#####ospitalar.com.br':443
'18#.#91.34.170':8888
'ro###nwest.best':443
'ka###news.com':443
'pi####aycolor.es':443
'kv###arken.dk':443
'te####-aggelis.gr':443
'fh#.church':80
'al#####kiclub.com.au':443
'mo###thing.com':443
'tr#####rmyourbody.de':443
'er####iation.com':443
'in####eone.com.mx':80
'ha###epi.com':443
'ne##alk.com':443
'we#####ebservice.com':443
'oc###mputer.com':443
'li##nlb.com':80
'vl##kovo.ru':80
'ga###king.com':80
'ar###erv.com.br':443
'th####ration.com.au':443
'co####ntacruz.com':443
'no###gn.co.uk':443
'ec####nsense.com':443

TCP

HTTP GET requests

http://18#.##1.34.170:8888/bots/chkVersion?cu#################### via 18#.#91.34.170
http://18#.##1.34.170:8888/project/active via 18#.#91.34.170
http://18#.##1.34.170:8888/gw?wo########## via 18#.#91.34.170
http://re#####listforjuly1.xyz/raccon.exe

HTTP POST requests

http://re#####listforjuly1.xyz/
http://19#.##.146.22:47861/ via 19#.#6.146.22

Other

'ro###nwest.best':443

UDP

DNS ASK re#####listforjuly1.xyz
DNS ASK ri###hopra.com
DNS ASK ha####kamara.com
DNS ASK vo####museum.com
DNS ASK id####lispiscine.it
DNS ASK do###ub.co.za
DNS ASK ho####ubustup.com
DNS ASK an###.com.au
DNS ASK de##p.com
DNS ASK hu###vps.com
DNS ASK or##nfo.net
DNS ASK po####fortmyers.com
DNS ASK al###uela.com
DNS ASK da####esort.co.in
DNS ASK ka####ndavetiye.com
DNS ASK re####iptop.com.au
DNS ASK he###hypills.co
DNS ASK ma###try.com
DNS ASK ke#####tmealplans.org
DNS ASK sh##ava.com
DNS ASK br####and-forum.org
DNS ASK gu#n.mx
DNS ASK ea####inttours.com
DNS ASK al####cbasket.com
DNS ASK sp#####exenergie.com
DNS ASK st#####aidonline.com
DNS ASK ye###rts.org
DNS ASK oz######doorservices.com
DNS ASK fr####ay-dating.com
DNS ASK 10###ind.com
DNS ASK mo####eeklodge.com
DNS ASK my####-junkies.com
DNS ASK sa#####uonnonystavat.fi
DNS ASK mi###olkin.com
DNS ASK ec####nsense.com
DNS ASK no###gn.co.uk
DNS ASK jb#.pt
DNS ASK ws##ab.com
DNS ASK go###ine.com
DNS ASK up######oolmanagement.com
DNS ASK pr#######gyourretirement.com
DNS ASK li###artner.no
DNS ASK ou#####idavacations.com
DNS ASK ni######schrysoloras.com
DNS ASK to##enis.sk
DNS ASK de#######-charenton-le-pont.fr
DNS ASK ar###mhp.com
DNS ASK iz#####ltukdosemeci.com
DNS ASK ad###msp.com
DNS ASK sc####devalori.ro
DNS ASK vo#####lex-eersel.nl
DNS ASK cc###fts.com
DNS ASK bl##na.com
DNS ASK un#.org.pk
DNS ASK ma####bartlett.com
DNS ASK dn###nters.gr
DNS ASK gr####ygienics.com
DNS ASK pi####aycolor.es
DNS ASK in###tem-br.ru
DNS ASK te####velocidad.es
DNS ASK sm##een.com
DNS ASK ka###news.com
DNS ASK gr##n.al
DNS ASK co#####hproducts.com
DNS ASK sa####nsultants.in
DNS ASK ea####ay-outlet.com
DNS ASK kv###arken.dk
DNS ASK su####.remap.org.uk
DNS ASK ds#.com.co
DNS ASK zi###ool.com
DNS ASK ki####eyholgate.com
DNS ASK ea####rkmall.com
DNS ASK li###yb.co.il
DNS ASK te#####ssicsuzuki.media
DNS ASK am#####ospitalar.com.br
DNS ASK ro###nwest.best
DNS ASK co####ntacruz.com
DNS ASK la###uesse.fr
DNS ASK co#####housebahamas.com
DNS ASK oc###mputer.com
DNS ASK in###frigo.it
DNS ASK on####fotokopi.com
DNS ASK lo#####lleyalacarte.com
DNS ASK mo#####flexrotary.org
DNS ASK fh#.church
DNS ASK mo###thing.com
DNS ASK th###story.in
DNS ASK tr#####rmyourbody.de
DNS ASK in####eone.com.mx
DNS ASK er####iation.com
DNS ASK ha###epi.com
DNS ASK la#####ytattoos.co.uk
DNS ASK ne##alk.com
DNS ASK al#####kiclub.com.au
DNS ASK ga###king.com
DNS ASK vl##kovo.ru
DNS ASK li##nlb.com
DNS ASK we#####ebservice.com
DNS ASK th####ration.com.au
DNS ASK he######council.vic.gov.au
DNS ASK te####-aggelis.gr
DNS ASK ar###erv.com.br
DNS ASK tl##hg.com
DNS ASK si####agasinet.no
DNS ASK da####trombley.com

Miscellaneous

Searches for the following windows

ClassName: 'EDIT' WindowName: ''
ClassName: 'Registry Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
ClassName: '18467-41' WindowName: ''
ClassName: 'File Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
ClassName: 'Process Monitor - Sysinternals: www.sysinternals.com' WindowName: ''

Creates and executes the following

'%TEMP%\8e0c.exe'
'%ALLUSERSPROFILE%\runtimebroker.exe'
'%TEMP%\9933.exe'
'%TEMP%\a6db.exe'
'%APPDATA%\ewafvws'
'%WINDIR%\syswow64\wscript.exe' "C:\reviewbrokercrtCommon\kB5VrhbV.vbe"
'%TEMP%\ccf2.exe'
'C:\reviewbrokercrtcommon\reviewbrokercrtcommonsessionperfdll.exe'
'%TEMP%\81f.exe'
'%ALLUSERSPROFILE%\runtimebroker.exe' ' (with hidden window)
'%APPDATA%\ewafvws' ' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /Q /C %LOCALAPPDATA%\Temp/s.bat' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ""C:\reviewbrokercrtCommon\94dfcaErtMmvX.bat" "' (with hidden window)

Executes the following

'<SYSTEM32>\taskeng.exe' {F997042D-9564-4617-96A2-9C74BA3C02A1} S-1-5-21-1960123792-2022915161-3775307078-1001:hkdazueuujya\user:Interactive:[1]
'%WINDIR%\syswow64\cmd.exe' /Q /C %LOCALAPPDATA%\Temp/s.bat
'%WINDIR%\syswow64\cmd.exe' /c ""C:\reviewbrokercrtCommon\94dfcaErtMmvX.bat" "

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней