Home / malware TrojanDropper:Win32/Barlaiy.A!dha
First posted on 10 November 2016.
Source: MicrosoftAliases :
There are no other names known for TrojanDropper:Win32/Barlaiy.A!dha.
Explanation :
Upon execution, this trojan drops the following DLL file, which is detected as Trojan:Win32/Barlaiy.A!dha:
%APPDATA% \nx00615.ttf
It attempts to randomize the hash value of the dropped DLL file by appending a large amount of randomly generated data at the end of the DLL file before dropping it.
It then executes Trojan:Win32/Barlaiy.A!dha using the legitimate Windows program rundll32.exe and by calling one of its export functions:
%SystemRoot% \system32\rundll32.exe %APPDATA%\nx00615.ttf, DisPlay 64
This trojan creates the following mutex in order to make sure that only one instance is running:
win32_event_x86
Certain versions of this trojan also evades analysis by detecting tools such as resource monitors and debuggers. When it detects that these tools are present, it stops running.
Analysis by Ramin NafisiLast update 10 November 2016