Home / malwarePDF  

Win32/Blakamba


First posted on 06 October 2015.
Source: Microsoft

Aliases :

There are no other names known for Win32/Blakamba.

Explanation :

Threat behavior

Installation

This threat is written in Python and uses multiple layers of obfuscation.

We have seen it installed to %ProgramFiles% using the file name format \ .exe, for example:

  • %ProgramFiles% \Abrupt Bench\Abrupt Bench.exe
  • %ProgramFiles% \abrupt buyer\abrupt buyer.exe
  • %ProgramFiles% \Abrupt Coffee\Abrupt Coffee.exe
  • %ProgramFiles% \Abrupt Community\Abrupt Community.exe
  • %ProgramFiles% \Abrupt Concert\Abrupt Concert.exe


It can also be registered as a service under the following system registry key:

  • HKLM\System\CurrentControlSet\Services\ \ .exe, for example HKLM\System\CurrentControlSet\Services\Abrupt Bench\Abrupt Bench.exe


Payload

Connects to a remote host

We have seen this threat connect to the following web domains to download and run malicious code:

  • findville.xyz
  • levelstate.xyz
  • modelshared.xyz
  • namehelper.xyz
  • parserword.xyz
  • positivejob.xyz
  • providerstore.xyz
  • providerzip.xyz
  • thismode.xyz
  • versionwind.xyz




Analysis by Jireh Sanico

Symptoms

The following can indicate that you have this threat on your PC:

  • You have these files:

    %ProgramFiles%\ \ .exe, for example%ProgramFiles%\Abrupt Bench\Abrupt Bench.exe
  • You see these entries or keys in your registry:

    HKLM\System\CurrentControlSet\Services\ \ .exe, for example HKLM\System\CurrentControlSet\Services\Abrupt Bench\Abrupt Bench.exe

Last update 06 October 2015

 

TOP