Home / malwarePDF  

TrojanDownloader:Win32/Truebot.A


First posted on 03 November 2017.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Truebot.A.

Explanation :

Installation

This threat periodically contacts a remote server, which may command it to download and execute arbitrary files. When this threat runs, it generates a unique identifier for the machine and contacts the following remote servers for a command:

  • 54.36.191.97
  • 185.86.150.129


On the first run, the server requests that it install itself. It copies itself to the %common_appdata% folder, using file names such as adobeupd.exe or FireWall.exe.

Then, it creates the following registry entry updates to ensure that it will run again during system startup. Examples we have seen include:

Under key: HKCU\Software\Microsoft\CurrentVersion\Run

Adds Value: AdobeUpd
With Data: %common_appdata%\adobeupd.exe

or

Under key: HKCU\Software\Microsoft\CurrentVersion\Run
Adds Value: FireWallSecurity
With Data: %common_appdata%\FireWall.exe

Payload

Connects to a remote host

We have seen this threat connect to a remote host, including:
  • 54.36.191.97
  • 185.86.150.129


Malware can connect to a remote host to do any of the following:
  • Download and run files (including updates or other malware)
  • Receive instructions from a malicious hacker


Downloads and executes arbitrary files

This threat can download other malware onto your PC. It continues to run after downloading the following files, and may download more files thereafter.
  • igfxpers_<8 hex digits>.exe
  • templer-s--245-2-34566-23_<8 hex digits>.exe


It also contacts its remote host or server every two minutes for more commands.

Additional Information

The server may send a command requesting that the malware delete the Run key it created for itself, and then stop running.

This malware description was published using the analysis of the following SHA1s:
  • 197d8bc245ba8b67ebf9a108d6707011fe8158f9
  • 997a24fdb8f6d0af229c1267934165217ddc7f19

Last update 03 November 2017

 

TOP