Home / malware Backdoor:Win32/Truebot.A
First posted on 03 November 2017.
Source: MicrosoftAliases :
There are no other names known for Backdoor:Win32/Truebot.A.
Explanation :
Installation
This threat is installed as a "Default monitors" service.
Payload
Connects to a remote host
When it runs, it can connect to any of the following remote servers:
Example of the full URL: 185.20.184.29/index.php?xy=1 Then, it waits for a response which can be one of the following:
- 185.20.184.29
- 84.38.132.55
If you don't get any of the three responses above, it can do any or both of the following actions:
- htrjyytrn - to refresh connection
- htcnfhn - to restart the malware process
- ytnpflfybq - to do nothing
- Run cmd.exe to execute a given shell command
- Download a file
Additional Information
This malware description was published using the analysis of the following SHA1s:
- 2f622723cfa93d1e55807383e838cb893d84fdf7
- 404d30fd9d9d97dc93d105cfbc0cdfd3d514fe24
- f284372f313ba12cb1ba5423c452f06fe06e7d7b
Last update 03 November 2017
