Home / malware Trojan:Win32/Autophyte.A!dha
First posted on 15 December 2017.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Autophyte.A!dha.
Explanation :
This threat is a trojan which fakes Transport Layer Security (TLS) communications to obfuscate C2 servers and is commonly seen with targeted attacks.
Payload
Allows backdoor access and control
This threat can give a malicious hacker access and control of your PC. They can then perform a number of different actions, such as:
- Downloading and uploading files
- Enumerating files and folders
- Enumerating running processes
- Executing arbitrary commands
- Gathering system information such as IP address and computer name
- Securely deleting files and folders
Connects to a remote host
We have seen this threat connect to a remote host, including the following C2 servers:
- 41.131.29.59:443
- 58.6.21.11:443
- 114.215.107.218:443
Encrypts configuration information
We have seen this threat encrypt configuration information with the following RC4 Key:
All data are obfuscated and sent over a fake TLS channel, generally over TCP port 443, to infrastructure the adversary controls. The Client-Hello portion of the TLS handshake can consist of one of the following domains as a Server Name Indicator (SNI), which is randomly chosen:
- 0xDAE161FF0C2795871757A4D6EAE3822B
- myservice.xbox.com
- uk.yahoo.com
- web.whatsapp.com
- www.apple.com
- www.baidu.com
- www.bing.com
- www.bitcoin.org
- www.comodo.com
- www.debian.org
- www.dropbox.com
- www.facebook.com
- www.github.com
- www.google.com
- www.lenovo.com
- www.microsoft.com
- www.paypal.com
- www.tumblr.com
- www.twitter.com
- www.wetransfer.com
- www.wikipedia.org
This malware description was published using the analysis of file SHA1 199750b6d04527dbebf04df414713bc863d54592.Last update 15 December 2017
