Home / malware

PDF

TrojanDownloader:Win32/Lerspeng.B

First posted on 20 July 2019.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Lerspeng.B is also known as Trojan/Win32.Ransomlock, W32/Downloader.PUYB-2856, Trojan.Win32.Inject.mpuu, win32/Agent.BCBLJ, Trojan horse SHeur4.BUEA, TR/Dldr.Small.PSD, Trojan.GenericKD.1651739, Trojan.Packed.26550, W32/Inject.MPUU!tr, Troj/Zbot-IEL, TROJ_UPATRE.JH.

Explanation :

Installation

TrojanDownloader:Win32/Lerspeng.B can arrive on your PC attached to a spam email, or downloaded by other malware family, such as TrojanDownloader:Win32/Upatre and TrojanDownloader:Win32/Kuluoz.

The spam email might follow the following template: 

Subject: Payment notification #
Email body:

!

.
Sum: $

===Detailed notification is in the attached ZIP-archive===





Unfortunately, this email is an automated notification, which is unable to receive replies.
We're happy to help you with any questions or concerns you may have.
Please contact us directly 24/7 via our site.

No found in this message. Checked by .

When run, TrojanDownloader:Win32/Lerspeng.B downloads a file and saves this file on your PC as %TEMP%mss.exe. for example, %TEMP%mss11.exe.

Payload

Downloads other malware

We have seen TrojanDownloader:Win32/Lerspeng.B connect to the following URLs to download other malware:

76.12.188.227/pesk/keystones allee-a.fr/rawnessormat bestattungskultur.tipsily/battled blueodysseyvacatioom/disabled/casements cajuncloud.com/detor/reverting customerservice.ivustralia.com/essential/supernova dboulaisdance.ca/aness/vessels dboulaisdance.ca/ethius/detonates dislexia.ch/stepsoange ftp.bluerivermediasprangs/meringue griffinclan.org.clrvers.com/deniers/echos handhtek.com/ashmo/zhengzhou LEFTCOASTFOOTBALL.slaloming/opera mccubbin.dmirc.comtle/strikers mytimeenglish.com/els/shellfish peas.de/peaceful/ched pflegepaedagogik.deckpoint/resonantly redrockspd.com/ribvin/composure spraymarketing.co.verhaul/niobe studiosharise.com/ively/nitpicked torrealum.com/gain/frigidly walkzone2u.com/pune/clump www.10142493.wavel.com/banach/vizor www.efg-neckarsulmpleats/enquiry www.furairgallon.brtals/ruined www.genienspiegel.iscos/preemptive www.limousinegta.cdrigals/revealings www.stoltztechnicavices.com/pubic/assertion www.teutoklaus.de/ne/reuse www.zeton.com.br/cility/engraver

We have seen it download the following malware families:

PWS:Win32/Zbot Trojan:Win32/Kuluoz TrojanDownloader:Win32/Upatre Worm:Win32/Gamarue

Analysis by Zarestel Ferrer

Last update 20 July 2019

 

TOP