Home / malware Trojan.Browrat
First posted on 05 December 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Browrat.
Explanation :
When the Trojan is executed, it creates the following files: %AllUsersProfile%\Application Data\vpdn\config.ini%AllUsersProfile%\Application Data\vpdn\key.hlp%AllUsersProfile%\Application Data\vpdn\VPDN_LU.exe%AllUsersProfile%\Application Data\vpdn\navlu.dll.url
Next, the Trojan creates the following registry entry: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"vpdn" = "%AllUsersProfile%\Application Data\vpdn\VPDN_LU.exe"
The Trojan then connects to the following remote location through TCP port 443: 39.109.5.161
Next, the Trojan gathers the following system data and sends it to the attacker's remote location: OS versionIP addressGUID Host nameUser name
The Trojan may then perform the following actions: Create a remote shellList files and available drivesUpload and download filesLog keystrokesTake code from %AllUsersProfile%\Application Data\vpdn\navlu.dll.url and inject it into the msiexec.exe processUninstall itselfLast update 05 December 2015