Analisado por: Nathaniel Gregory Ragasa   
 

Trojan.Win32.Crypt(IKARUS), Win32/Emotet.CQ trojan(NOD32)

 Plataforma:

Windows

 Classificao do risco total:
 Potencial de dano:
 Potencial de distribuição:
 infecção relatada:
 Exposição das informações:
Baixo
Medium
Alto
Crítico

  • Tipo de grayware:
    Trojan Spy

  • Destrutivo:
    Não

  • Criptografado:
     

  • In the Wild:
    Sim

  Visão geral

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  Detalhes técnicos

Tipo de compactação: 1,000,448 bytes
Tipo de arquivo: DLL
Residente na memória: Não

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Schleust eine Kopie von sich selbst in folgende Ordner ein, wobei verschiedene Dateinamen verwendet werden:

  • %System%\{Random Characters}\{Random Characters}.{Random Characters}

(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).)

Fügt die folgenden Prozesse hinzu:

  • %System%\rundll32.exe "%System%\{Random Characters}\{Random Characters}.{Random Characters}",{Random Characters}
  • %System%\rundll32.exe "%System%\{Random Characters}\{Random Characters}.{Random Characters}",DllRegisterServer

(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).)

Andere Details

It connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.201.2
  • http://{BLOCKED}.{BLOCKED}.201.4
  • http://{BLOCKED}.{BLOCKED}.214.46
  • http://{BLOCKED}.{BLOCKED}.225.142
  • http://{BLOCKED}.{BLOCKED}.117.186
  • http://{BLOCKED}.{BLOCKED}.255.201
  • http://{BLOCKED}.{BLOCKED}.188.93
  • http://{BLOCKED}.{BLOCKED}.24.231
  • http://{BLOCKED}.{BLOCKED}.72.26
  • http://{BLOCKED}.{BLOCKED}.186.49
  • http://{BLOCKED}.{BLOCKED}.186.55
  • http://{BLOCKED}.{BLOCKED}.222.101
  • http://{BLOCKED}.{BLOCKED}.59.82
  • http://{BLOCKED}.{BLOCKED}.230.105
  • http://{BLOCKED}.{BLOCKED}.102.168
  • http://{BLOCKED}.{BLOCKED}.50.39
  • http://{BLOCKED}.{BLOCKED}.175.63
  • http://{BLOCKED}.{BLOCKED}.99.3
  • http://{BLOCKED}.{BLOCKED}.193.249
  • http://{BLOCKED}.{BLOCKED}.106.96
  • http://{BLOCKED}.{BLOCKED}.83.165
  • http://{BLOCKED}.{BLOCKED}.147.66
  • http://{BLOCKED}.{BLOCKED}.82.211
  • http://{BLOCKED}.{BLOCKED}.71.210
  • http://{BLOCKED}.{BLOCKED}.56.148
  • http://{BLOCKED}.{BLOCKED}.133.20
  • http://{BLOCKED}.{BLOCKED}.134.35
  • http://{BLOCKED}.{BLOCKED}.109.124
  • http://{BLOCKED}.{BLOCKED}.84.195
  • http://{BLOCKED}.{BLOCKED}.17.99
  • http://{BLOCKED}.{BLOCKED}.5.209
  • http://{BLOCKED}.{BLOCKED}.56.116
  • http://{BLOCKED}.{BLOCKED}.98.99
  • http://{BLOCKED}.{BLOCKED}.226.206
  • http://{BLOCKED}.{BLOCKED}.143.207
  • http://{BLOCKED}.{BLOCKED}.204.126
  • http://{BLOCKED}.{BLOCKED}.108.46
  • http://{BLOCKED}.{BLOCKED}.115.99
  • http://{BLOCKED}.{BLOCKED}.135.203
  • http://{BLOCKED}.{BLOCKED}.114.231
  • http://{BLOCKED}.{BLOCKED}.232.124
  • http://{BLOCKED}.{BLOCKED}.222.11
  • http://{BLOCKED}.{BLOCKED}.54.215
  • http://{BLOCKED}.{BLOCKED}.140.238
  • http://{BLOCKED}.{BLOCKED}.42.236
  • http://{BLOCKED}.{BLOCKED}.212.216
  • http://{BLOCKED}.{BLOCKED}.236.90
  • http://{BLOCKED}.{BLOCKED}.152.127