Home / malware TrojanDownloader:Win32/Drixed.B
First posted on 09 December 2014.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:Win32/Drixed.B.
Explanation :
Threat behavior
Installation
This threat is installed by TrojanDownloadeR:W97M/Adnel into the %TEMP%.
Whenever the threat is run, it renames itself with the pattern edg.exe, for example edg1AF6.exe or edg10D.exe.
Payload
Downloads other files, including malware
This threat can connect to a remote server and download other files. We have seen it try to connect to the following servers:
- http://194.146.136.1:8080/
- http://84.92.26.50:8080/
- http://87.106.246.201:8080/
We have seen it download a file.tmp or .tmp.exe, for example 4473.tmp or 3ED7.tmp.exe. It might download that file into %LOCALAPPDATA%.
In the wild, we detect these files as TrojanSpy:Win32/Ursnif.gen!K and TrojanDownloader:Win64/Drixed.B.
It injects this file into web prowser processes. At the time of analysis, the purpose of the web browser injection is unclear.
The threat might also download other files. In the wild, we have seen it try to download WinMail.exe.
Steals information about your PC
The threat gathers the following information about your PC:
- Computer name by reading the registry entry HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName, ComputerName
- Username by reading the registry entry HKCU\Volatile Environment, €œUSERNAME€Â
- Operating system version
- Installed software and version by reading the registry entries under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
It encodes this information and sends it to the remote server before downloading or installing other files.
Analysis by Rex Plantado and HeungSoo David Kang
Symptoms
The following can indicate that you have this threat on your PC:
- You have these files:
%LOCALAPPDATA%\.tmp, for example 4473.tmp
%LOCALAPPDATA%\.tmp.exe, for example 3ED7.tmp.exe Last update 09 December 2014
