Home / malware

PDF

Backdoor:Win32/Floxif.gen!A

First posted on 21 September 2017.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Floxif.gen!A.

Explanation :

This detection is related to the "trojanized" version of a third-party utility known as "CCleaner".

Installation


When run, the threat may store some binary information to the registry key HKLM\SOFTWARE\Piriform\Agomo:

Payload

Collects and steals information

When run, the malicious DLL payload embedded inside the binary may collect the following information:

• Computer name
• Computer DNS domain
• Computer IP address
• Installed and running processes

This information is encrypted and sent to the follow command and control (C2) address via a POST method:

• 216.126.225.148

Alternatively, it dynamically generates a C2 host address from the infected machine's current year and month settings.

Downloads and runs additional code

The threat can also receive a binary shellcode from its C2 server and run it.

Additional information

SHA1: C705C0B0210EBDA6A3301C6CA9C6091B2EE11D5B





Analysis by Jireh Sanico

Last update 21 September 2017

 

TOP