Home / malware

PDF

TrojanDownloader:Win32/Filcout.A

First posted on 19 May 2019.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Filcout.A.

Explanation :

Installation

You might download this app with the name FileScout or File Scout, with the file name filescout.exe. It might also be installed on your PC by a variant of the Win32/Rotbrow or Win32/Brantall families.

It installs the following files:

%TEMP%3168_12440crl-set %TEMP%3168_12440manifest.fingerprint %TEMP%3168_12440manifest.json %TEMP%662E.tmp %TEMP%capE397.tmp %windir%SysWOW64 hemes.dll %windir%SysWOW64winthemes_service.dll

It creates a shortcut on your PC that might look like this:

 

It registers and installs itself by modifying the registry.

It displays the following window when you try to open a file that isn't associated with any program or app on your PC:  

 

Payload

Installs Win32/Sefnit variants and other malware

When running, the app sends a HTTP GET requests to a remote server, which then responds with a command to download a file.

We have seen it send the request to updater-1341016669..elb.amazonaws.com/update/update.php?name=filescout&version=50397193&r=1397078091.

We detect the file as a variant of Win32/Sefnit, such as Trojan:Win32/Sefnit.BW.

Analysis by Geoff McDonald and Chris Stubbs

Last update 19 May 2019

 

TOP