Home / malware Worm:Win32/Xtrat.C
First posted on 01 April 2019.
Source: MicrosoftAliases :
Worm:Win32/Xtrat.C is also known as BackDoor-FCDE!AB502CA6662A, W32.Spyrat.
Explanation :
Installation This threat can create files on your PC, including:
%SystemRoot%dllsadsl.exe %TEMP% 322htr.exe %TEMP% 710march.exe %TEMP% 710march.exe.exe %TEMP% dlshosts.exe %APPDATA%
oamingmicrosoftinternet explorerquick launchlaunch internet explorer browser.lnk %APPDATA%
oamingmicrosoftwindowsstart menuprogramsstartupa6bb84e8814fcaa6951c95e3faa45466.exe %USERPROFILE% documentsmsdcscmsdcsc.exe
It modifies the registry so that it runs each time you start your PC. For example:
In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: "a6bb84e8814fcaa6951c95e3faa45466"
With data: ""c:usersadministratorappdatalocal empdlshosts.exe" .."
Sets value: "HKCU"
With data: "%SystemRoot%dllsadsl.exe"
Sets value: "MicroUpdate"
With data: "c:usersadministratordocumentsmsdcscmsdcsc.exe"
In subkey: HKLMSoftwareMicrosoftActive SetupInstalled Components{VTVM542I-8743-2C38-TQKC-K3057FDG022L}
Sets value: "StubPath"
With data: "%SystemRoot%dllsadsl.exe"
In subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon
Sets value: "UserInit"
With data: "userinit.exe,c:usersadministratordocumentsmsdcscmsdcsc.exe"
In subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: "a6bb84e8814fcaa6951c95e3faa45466"
With data: ""c:usersadministratorappdatalocal empdlshosts.exe" .."
Sets value: "HKLM"
With data: "%SystemRoot%dllsadsl.exe"
The malware uses code injection to make it harder to detect and remove. It can inject code into running processes.
Payload
Connects to a remote host
We have seen this threat connect to a remote host, including: datac1.ddns.net using port 53 mz3ro.no-ip.org using port 53 Malware can connect to a remote host to do any of the following:Check for an Internet connectionDownload and run files (including updates or other malware)Report a new infection to its authorReceive configuration or other dataReceive instructions from a malicious hackerSearch for your PC locationUpload information taken from your PCValidate a digital certificate
It can stop some processes from running on your PC, including:
iexplore.exe
This malware description was published using automated analysis of file SHA1 23d254568fdf6a4929172d2d6e455366eabbe7c4.Last update 01 April 2019
