SecurityHome.eu TrojanDropper:Win32/Barlaiy.A!dha

Home / malware PDF

TrojanDropper:Win32/Barlaiy.A!dha

First posted on 10 November 2016.
Source: Microsoft
Aliases :
There are no other names known for TrojanDropper:Win32/Barlaiy.A!dha.
Explanation :
Upon execution, this trojan drops the following DLL file, which is detected as Trojan:Win32/Barlaiy.A!dha:

%APPDATA% \nx00615.ttf

It attempts to randomize the hash value of the dropped DLL file by appending a large amount of randomly generated data at the end of the DLL file before dropping it.

It then executes Trojan:Win32/Barlaiy.A!dha using the legitimate Windows program rundll32.exe and by calling one of its export functions:

%SystemRoot% \system32\rundll32.exe %APPDATA%\nx00615.ttf, DisPlay 64

This trojan creates the following mutex in order to make sure that only one instance is running:

win32_event_x86

Certain versions of this trojan also evades analysis by detecting tools such as resource monitors and debuggers. When it detects that these tools are present, it stops running.

Analysis by Ramin Nafisi
Last update 10 November 2016

TOP

Malware :

Last 20

Family:

TrojanDropper:Win32/Barlaiy.A!dha