BKDR_ZEGOST.AUSDG
Backdoor:Win32/Zegost.AD (Microsoft), Backdoor.Zegost.018657 (Quickheal)
Windows
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
114,557 bytes
EXE
16 Nov 2016
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following copies of itself into the affected system:
- %Windows%\{random 6 letters}.exe
(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
It drops the following non-malicious files:
- %System%\main\net.exe
- %System%\main\net1.exe
- %System%\main\taskmgr.exe
- %System%\main\tasklist.exe
- %System%\main\taskkill.exe
- %System%\main\ftp.exe
- %System%\main\query.exe
- %System%\main\user.exe
- %System%\main\logoff.exe
- %System%\main\user.exe
- %System%\main\cscript.exe
- %System%\main\reg.exe
- %System%\main\query.dll
- %System%\main\regedt32.exe
- %System%\main\quser.exe
- %System%\main\cmd.exe
- %System%\main\netapi32.dll
- %System%\main\netapi.dll
- %System%\main\netdde.exe
- %System%\main\netstat.exe
- %System%\main\ping.exe
- %System%\main\tskill.exe
- %System%\main\whoami.exe
- %System%\main\wscript.exe
- %System%\main\xcopy.exe
- %System%\main\.temp.fortest
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
It creates the following folders:
- %System%\main
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
Other Details
This backdoor connects to the following possibly malicious URL:
- {BLOCKED}.{BLOCKED}.18.114