Home / malware Trojan:Win32/FoggyBrass.A!dha
First posted on 15 December 2017.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/FoggyBrass.A!dha.
Explanation :
Installation
It can create the following installation file on your PC: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HncChecker
Payload
Allows backdoor access and control
This threat can give a malicious hacker access and control of your PC. They can then perform a number of different actions, such as:
- Downloading and uploading files
- Enumerating files and folders
- Enumerating running processes
- Executing arbitrary commands
- Gathering system information such as IP address and computer name
All C2 communicatons take place over HTTP. Data is sent with XOR enscoded form-data to ASP scripts, which are generally hosted on compromised web servers.
The data is obfuscated and sent within form-data to an ASP script, generally placed on a compromised web server.
Connects to a remote host
We have seen this threat connect to a remote host, including the following C2 servers:
- http[:]//www.genesispure[.]kr/upload/main.php
- http[:]//www.boniel.co[.]kr/html/face/board.php
This malware description was published using the analysis of file SHA1 323258353c244b373c758906d88a2bf9663abf8d.Last update 15 December 2017
