Home / malware Trojan:Win32/Lethic.B
First posted on 15 February 2019.
Source: MicrosoftAliases :
Trojan:Win32/Lethic.B is also known as Packed.Win32.Krap.x, Trojan.Lethic.B, Win32/Lethic.AA, Trj/Zlob.KH, Trojan.CryptRedol.Gen.2.
Explanation :
Installation This threat may drop copies of itself with different file names in the Windows system folder, for example:
shelldm.exe xcllsx.exe Note - refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. It creates entries in the system registry to ensure that its dropped copies run every time Windows starts: Adds value: "Taskman"
With data: ""
To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Adds value: "Shell"
With data: "explorer.exe,"
To subkey: HKCUSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Adds value: ""
With data: ""
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun For example: Adds value: "zmmclr"
With data: "xcllsx.exe"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Adds value: "wesspell"
With data: "shelldm.exe"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun It injects its code into the 'explorer.exe' process. Payload Connects to a remote server The threat attempts to establish a connection to remote servers through various TCP ports. For example: Attempts connecting to 'lycomputing.com' via TCP port 1430
Attempts connecting to 'nuygtfcwq.com' via TCP port 8900 Some of the remote sites it attempts to connect to are: b1ijh7hifd.com
btceswqdw.com
lxforbug.com
lycomputing.com
miniknfdw.com
mojujfdhew.com
nhi8ho9lbnw.com
nuygtfcwq.com
sometimesgood.com
uckybusy.com Once connected, it may allow remote access and control of an affected machine. Analysis by Elda DimakilingLast update 15 February 2019
