Home / malwarePDF  

TrojanDownloader:Win32/Recslurp.B


First posted on 15 February 2019.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Recslurp.B is also known as Trojan/Win32.Snocry, W32/Trojan.CAUQ-7382, Trojan-Ransom.Win32.Snocry.az, BackDoor.Siggen.58526, Win32/Agent.QKJ trojan, TROJ_CRYPTED.BLO.

Explanation :

Installation

We have seen this malware arrive as a spam email attachment similar to the examples below:

When run, this threat can replace the following files with copies of itself: %SystemRoot% csrss.exe %SystemRoot%
undll32.exe %SystemRoot% svchost.exe If it cannot replace the files above it will create the following files:   %APPDATA%csrss.exe %APPDATA%svchost.exe %APPDATA%
undll32.exe

It modifies the registry so that it runs each time you start your PC. For example:

In subkey: HKCUsoftwaremicrosoftwindowscurrentversion
un
Sets value: "Client Server Runtime Process"
With data: "%APPDATA%csrss.exe"   In subkey: HKCUsoftwaremicrosoftwindowscurrentversion
un
Sets value: "Service Host Process for Windows"
With data: "%APPDATA%svchost.exe"   In subkey: HKCUsoftwaremicrosoftwindowscurrentversion
un
Sets value: "Host-process Windows (Rundll32.exe)"
With data: "%APPDATA%
undll32.exe" Payload

Downloads malware or unwanted software

This threat can download other malware and unwanted software onto your PC.

Connects to a remote host

We have seen this threat connect to the following remote hosts using port 25 to check for Internet connectivity: plus.smtp.mail.yahoo.com smtp.gmail.com If successful, it connects to its command and control (C&C server) at 69.64..20. It can do this for any of the following reasons: Check for an Internet connection Download and run files (including updates or other malware) Report a new infection to its author Receive configuration or other data Receive instructions from a malicious hacker Search for your PC location Upload information taken from your PC Validate a digital certificate Additional information

Creates a mutex

This threat can create one or more mutexes on your PC. For example:

Global{70D4DFB2-5794-165E-E23A-6CD80ED72355} Local{807B5984-D1A2-E6F1-E23A-6CD80ED72355}

It might use this mutex as an infection marker to prevent more than one copy of the threat running on your PC.

Analysis by Allan Sepillo

Last update 15 February 2019

 

TOP

Malware :

Family: