Home / malware TrojanDownloader:Win32/Renos.KF
First posted on 03 August 2019.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:Win32/Renos.KF.
Explanation :
TrojanDownloader:Win32/Renos.KF is a generic detection for a family of trojans that connect to certain websites in order to download arbitrary files. This may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Rogue:Win32/FakeSecSen or Rogue:Win32/FakeXPA. TrojanDownloader:Win32/Renos.KF may be distributed in the wild masquerading as a video codec. For an example, please see the image below: It has also been observed being downloaded to affected machines after users are prompted by fake online security scanners. See below for examples of this method of distribution being utilized in the wild: InstallationWhen executed, TrojanDownloader:Win32/Renos.KF runs from its original location and modifies the registry to run the trojan downloader at each Windows start (for example): In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRunSets value: "MSFox" (or "Cognac")With data: "
" Additional registry modifications are made similar to the following example: In subkey: HKLMSoftwareMozillaMSFoxSets value: Str With data: (for example, "x6tveq8ngbtmpknqirnnqauudxwx") Note:These registry modifications may vary according to minor variant and the values listed may be different from those given in these examples. Payload Downloads and executes arbitrary filesOnce installed, the trojan may connect to one of a number of remote web servers from which it may download and execute other files. In the wild, we have observed servers at the following locations being contacted in this manner by TrojanDownloader:Win32/Renos.KF: image-big-library.com 22.250.166.222 167.156.220.15 erabl-pict.com imagerepository.com images-base.com the-exefiles.com freeexefiles.com exefileformat.com newexefile.com Files downloaded may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Rogue:Win32/FakeSecSen or Rogue:Win32/FakeXPA. TrojanDownloader:Win32/Renos.KF has also been observed downloading files and other content associated with advertising and browser redirection. TrojanDownloader:Win32/Renos may post system information to the remote server before downloading files. The downloaded malware is generally saved to the %temp% directory, using filenames such as "~tmpa.exe". Analysis by Hamish O'Dea Last update 03 August 2019