Trojan.DownLoader45.49039

Added to the Dr.Web virus database: 2023-03-17

Virus description added: 2023-03-19

Technical Information

To ensure autorun and distribution

Sets the following service settings

[<HKLM>\System\CurrentControlSet\Services\Awareness Identity Human Secure] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\Awareness Identity Human Secure] 'ImagePath' = 'C:\haqecvpoqivpls\wlcgpzkrebk.exe'

Creates the following services

'Awareness Identity Human Secure' C:\haqecvpoqivpls\wlcgpzkrebk.exe

Modifies file system

Creates the following files

%WINDIR%\haqecvpoqivpls\mbzelgn
C:\haqecvpoqivpls\mbzelgn
C:\haqecvpoqivpls\xkf7jljwrxvq1jmlfg4.exe
C:\haqecvpoqivpls\wlcgpzkrebk.exe
C:\haqecvpoqivpls\pbimrilio.exe

Sets the 'hidden' attribute to the following files

C:\haqecvpoqivpls\wlcgpzkrebk.exe
C:\haqecvpoqivpls\pbimrilio.exe

Deletes the following files

%WINDIR%\haqecvpoqivpls\mbzelgn
C:\haqecvpoqivpls\xkf7jljwrxvq1jmlfg4.exe

Substitutes the following files

%WINDIR%\haqecvpoqivpls\mbzelgn

Network activity

Connects to

'hi####yboard.net':80
'cl###board.net':80
'co####ebridge.net':80
'st####ebridge.net':80
'th####itchen.net':80

TCP

HTTP GET requests

http://hi####yboard.net/index.php
http://cl###board.net/index.php
http://co####ebridge.net/index.php
http://st####ebridge.net/index.php

UDP

DNS ASK hi#####character.net
DNS ASK hi####yexcept.net
DNS ASK st####eexcept.net
DNS ASK mo####gwhose.net
DNS ASK ra###rwhose.net
DNS ASK mo####gbicycle.net
DNS ASK ra####bicycle.net
DNS ASK mo####gbridge.net
DNS ASK ra####bridge.net
DNS ASK of###whose.net
DNS ASK mo####gexcept.net
DNS ASK tw###ewhose.net
DNS ASK mi###ewhose.net
DNS ASK tw####bicycle.net
DNS ASK mi####bicycle.net
DNS ASK tw####bridge.net
DNS ASK mi####bridge.net
DNS ASK tw####except.net
DNS ASK mi####except.net
DNS ASK ra####except.net
DNS ASK al###whose.net
DNS ASK st####ebridge.net
DNS ASK we####rbicycle.net
DNS ASK th####ithout.net
DNS ASK pr####twagon.net
DNS ASK th###wagon.net
DNS ASK cl###whose.net
DNS ASK cl####icycle.net
DNS ASK cl###bridge.net
DNS ASK cl###except.net
DNS ASK we####rwhose.net
DNS ASK st####ebicycle.net
DNS ASK hi####ybridge.net
DNS ASK am####bicycle.net
DNS ASK we####rbridge.net
DNS ASK am####bridge.net
DNS ASK we####rexcept.net
DNS ASK am####except.net
DNS ASK hi####ywhose.net
DNS ASK st####ewhose.net
DNS ASK hi####ybicycle.net
DNS ASK am###twhose.net
DNS ASK al####icycle.net
DNS ASK of####icycle.net
DNS ASK al###bridge.net
DNS ASK th###ladder.net
DNS ASK cl####haracter.net
DNS ASK th####haracter.net
DNS ASK we####renter.net
DNS ASK am###tenter.net
DNS ASK we####rboard.net
DNS ASK am###tboard.net
DNS ASK th###board.net
DNS ASK we####rladder.net
DNS ASK we#####character.net
DNS ASK am####character.net
DNS ASK hi####yenter.net
DNS ASK st####eenter.net
DNS ASK hi####yboard.net
DNS ASK st####eboard.net
DNS ASK hi####yladder.net
DNS ASK st####eladder.net
DNS ASK am####ladder.net
DNS ASK cl###board.net
DNS ASK cl###ladder.net
DNS ASK th###enter.net
DNS ASK of###bridge.net
DNS ASK co####eexcept.net
DNS ASK al###except.net
DNS ASK of###except.net
DNS ASK co####ewhose.net
DNS ASK ch###whose.net
DNS ASK co####ebicycle.net
DNS ASK ch####icycle.net
DNS ASK co####ebridge.net
DNS ASK ch###bridge.net
DNS ASK ch###except.net
DNS ASK cl###enter.net
DNS ASK pr####twhose.net
DNS ASK th###whose.net
DNS ASK pr####tbicycle.net
DNS ASK th####icycle.net
DNS ASK pr####tbridge.net
DNS ASK th###bridge.net
DNS ASK pr####texcept.net
DNS ASK th###except.net
DNS ASK pr####twithout.net
DNS ASK th####itchen.net

Miscellaneous

Creates and executes the following

'C:\haqecvpoqivpls\xkf7jljwrxvq1jmlfg4.exe'
'C:\haqecvpoqivpls\wlcgpzkrebk.exe'
'C:\haqecvpoqivpls\pbimrilio.exe' "c:\haqecvpoqivpls\wlcgpzkrebk.exe"

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial