Home / malwarePDF  

TrojanDropper:Win32/Morblish.A


First posted on 28 September 2015.
Source: Microsoft

Aliases :

There are no other names known for TrojanDropper:Win32/Morblish.A.

Explanation :

Threat behavior

Installation
This threat can create files on your PC, including:

  • %ProgramData%\microsoft\windows\start menu\programs\startup\mpcmdrun.exe


The malware uses code injection to make it harder to detect and remove. It can inject code into running processes.

The presence of the following files in %TEMP% directory may also indicate infection:

  • AdobeArm.exe
  • msdtcvtre.bat
  • qsm.bat
  • zawq.bat


Payload


Installs malware or unwanted software

This trojan can install and run Backdoor:Win32/Morblish.A onto your PC.



Connects to a remote host

We have seen this threat connect to a remote host, including:
  • 196.4.67.45 using port 443
Malware can connect to a remote host to do any of the following:
  • Download and run files (including updates or other malware)
  • Report a new infection to its author
  • Receive configuration or other data
  • Receive instructions from a malicious hacker
  • Search for your PC location
  • Upload information taken from your PC


Additional information

This threat was identified as payload of a crafted Hangul Word Processor (HWP) document designed to exploit a vulnerability we detect as Exploit:Win32/CVE-2015-6585.



This malware description was published using automated analysis of file SHA1 880f4bcd644f812cf21a7083801b184dc8f8622e.

Symptoms

The following can indicate that you have this threat on your PC:

  • You see a file similar to:
    • %ProgramData%\microsoft\windows\start menu\programs\startup\mpcmdrun.exe
  • You see the following mutex:
    • G{D19BAF17-7C87-467E-8D63-6C4B1C836373}

Last update 28 September 2015

 

TOP