Home / malwarePDF  

TrojanDownloader:Win32/Dalexis


First posted on 16 March 2019.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Dalexis.

Explanation :

Installation

The threat contains an embedded clean CAB file which it drops in the %TEMP% folder. It uses a file name in the format temp_cab_.cab, for example temp_cab_387640.cab.

The CAB file contains a document that is embedded in the binary and run using createprocess to open the file on your PC. We have seen the document appear as an RTF or PDF file.

In the wild, we've seen the document claim to be an invoice, as in this example:

The trojan may arrive as an attachment in a spammed email message generated by a member of the Win32/Cutwail family of malware.

We have seen the attachment use file names similar to the following:

order_2014-09-03_10-09-41_1218448113.arj bill_2014-09-10_09-32-00_26934258393.arj sale_2014-09-02_09-24-16_28083729575.arj

As seen in these examples, the attachment claims to be a receipt, invoice, or some other document related to an order or sale.

Payload

Downloads updates or other malware

The threat checks for an Internet connection by connecting to a clean website, such as windowsupdate.microsoft.com.

If successful, it connects to a remote host that is hardcoded in its binary to download other malware. We have seen it connect to the following domains: 

pubbliemme.com agatecom.fr baselineproduction.fr

In the wild, we have seen this malware download updates of itself and variants of the Win32/Zbot family (including PWS:Win32/Zbot.gen!GOA).

We've seen it download other malware, including PWS:Win32/Zbot.gen!GOA and Trojan:Win32/Tinba.A, and save it to the %TEMP% folder with the file name update_.exe, for example update_387640.exe. 

Analysis by Rodel Finones

Last update 16 March 2019

 

TOP