Home / malware TrojanDownloader:Win32/Gratem.A
First posted on 15 February 2019.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Gratem.A is also known as HEUR/Fakon.mwf, Trojan.Win32.Agentb.aqca, Trojan.DownLoader11.19812, W32/Agent.NPS!worm, W32.SillyFDC, Troj/DwnLdr-MTN.
Explanation :
Installation
When run, the malware searches its current folder for the file tpe64.dll. If the file is found, the malware reads its contents, decrypts the data, and runs the decrypted code in memory.
If tpe64.dll isn't found, the malware tries to download the following file every five seconds:
adnetwork33.redirectme.net// /booswrap/layers.png
If successful, the downloaded blob is decrypted and run in memory.
The decrypted code creates the following shortcut link :
WindowManager.lnk - detected as TrojanDownloader:Win32/Gratem.A!lnk
This shortcut points to the malware file: %ProgramData%WindowMandwm22.exe
The malware creates copies of itself in the following files:
%ProgramData % WindowMandwm22.exe - the original malware file %ProgramData% WindowMan pe64.dll - the encrypted blob %ProgramData% WindowManx22.dd Payload
Connects to a remote host
We have seen this threat connect to the following remote hosts to check for an Internet connection:
74.125..112 74.125. .113 74.125. .114 74.125. .115 74.125. .116 129.42. .1 198.133. .25 207.46. .32 207.46. .182
Downloads files
We have seen the malware download the following file:
adnetwork33.redirectme.net// /booswrap/main.php
It saves the file to %TEMP%setupGZ.tmp and runs it.
As of writing, the above URL is not accessible.
Additional information
Creates a mutex
We have seen this malware create the following mutexes:
GGM-KRTYUA1-B1NHHTYU B2B27EA7-6F32-4465-8C7C-D2A6E4BAEFA3
These mutexes can be an infection marker to prevent more than one copy of the threat running on your PC.
Analysis by Allan SepilloLast update 15 February 2019
