Home / malware Trojan.Luminrat
First posted on 28 October 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Luminrat.
Explanation :
Once executed, the Trojan creates the following folder:
%SystemDrive%\[DECIMAL NUMBERS]\[DECIMAL NUMBERS]\1
The Trojan then drops the following clean file:
%SystemDrive%\[DECIMAL NUMBERS]\helper.exe
Next, the Trojan creates the following registry entries:
HKEY_CURRENT_USER\Software\"Xmy8Wrx1nWVOj522YFIamQ==" = "[BASE64 DATA]"HKEY_CURRENT_USER\Software\"UeE/t8o052EAyeZxeEkWIg==" = "[BASE64 DATA]"
The Trojan then opens a back door on the compromised computer and connects to the following remote location over TCP port 7189:
lumilogs.ddns.net
The Trojan may then perform the following actions:
Perform TCP, UDP, and Slowloris distributed denial-of-service attacksUpload files to a remote location Download potentially malicious filesOpen a command shellTraverse files and foldersModify the hosts fileUpdate itselfStart a remote desktopRecord audioRecord webcam footageDisplay a message boxOpen a proxyDisable Task Manager
The Trojan may also steal email and FileZilla account credentials from the compromised computer.Last update 28 October 2015
