Home / malwarePDF  


First posted on 08 March 2018.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Dofoil.AB.

Explanation :

When run, this trojan injects its code into File Explorer (explorer.exe). It then deletes its original copy.

It drops an executable file—a randomly named copy of itself—into the %LOCALAPPDATA% folder. To stay persistent, it creates a variably named registry entry:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value:
With data:

We have observed some samples of this trojan use names from the Uninstall key in the registry. This disguises the trojan registry entry as something created by another application.

This trojan then connects to a remote location to download and run other malware, including samples detected as Trojan:Win32/Dofoil.AB and Trojan:Win32/CoinMiner.D.

Last update 08 March 2018