Home / malware TrojanDownloader:Win32/Truebot.A
First posted on 03 November 2017.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:Win32/Truebot.A.
Explanation :
Installation
This threat periodically contacts a remote server, which may command it to download and execute arbitrary files. When this threat runs, it generates a unique identifier for the machine and contacts the following remote servers for a command:
- 54.36.191.97
- 185.86.150.129
On the first run, the server requests that it install itself. It copies itself to the %common_appdata% folder, using file names such as adobeupd.exe or FireWall.exe.
Then, it creates the following registry entry updates to ensure that it will run again during system startup. Examples we have seen include:
Under key: HKCU\Software\Microsoft\CurrentVersion\Run
Adds Value: AdobeUpd
With Data: %common_appdata%\adobeupd.exe
or
Under key: HKCU\Software\Microsoft\CurrentVersion\Run
Adds Value: FireWallSecurity
With Data: %common_appdata%\FireWall.exe
Payload
Connects to a remote host
We have seen this threat connect to a remote host, including:
- 54.36.191.97
- 185.86.150.129
Malware can connect to a remote host to do any of the following:
- Download and run files (including updates or other malware)
- Receive instructions from a malicious hacker
Downloads and executes arbitrary files
This threat can download other malware onto your PC. It continues to run after downloading the following files, and may download more files thereafter.
- igfxpers_<8 hex digits>.exe
- templer-s--245-2-34566-23_<8 hex digits>.exe
It also contacts its remote host or server every two minutes for more commands.
Additional Information
The server may send a command requesting that the malware delete the Run key it created for itself, and then stop running.
This malware description was published using the analysis of the following SHA1s:
- 197d8bc245ba8b67ebf9a108d6707011fe8158f9
- 997a24fdb8f6d0af229c1267934165217ddc7f19
Last update 03 November 2017
