Home / malwarePDF  

Backdoor:Win32/Myntor.A!dha


First posted on 15 December 2016.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Myntor.A!dha.

Explanation :

This threat is a second-stage malware that can steal information from enterprises. We have seen it used in targeted attacks in conjunction with Win32/Truvasys, a first-stage malware.

When executed, it creates the following folder:

%TEMP%\translator

It then attempts to execute DLL side-loading, a technique in which legitimate DLLs are replaced with malicious ones so that malicious processes are executed when applications or the operating system starts.

This threat creates the following processes to perform malicious behavior related to stealing information:

  • psaux.exe (loads two additional files, Scpctr.dll and Kltgtr.dll, which are used to take screenshots and collect system information)
  • srvsvc.exe (performs network communications)
  • ttyvc.exe (loads two additional files, Lngwyztn.dll and Whtnwfc.dll, which take inventory of files and system information)






Analysis by Mathieu Letourneau

Last update 15 December 2016

 

TOP

Malware :