SHA1:
- SHA1: 22b241b39c7e28dc15556d3da7e3a854c4e9219e
A multifunctional Trojan for devices running Microsoft Windows, created using .NET Framework, packed with themida. It uses the website telegra.ph as a command and control server. For its autorun, the Trojan uses the Windows Task Scheduler.
The Trojan can determine attempts of its launch on the virtual machine: for this purpose, it sends a request to Windows Management Instrumentation (WMI), which looks as follows: * from Win32_ComputerSystem” and checks that:
- The value Manufacturer adjusted to a lower case contains “vmware”;
- The value Manufacturer adjusted to the lower case matches with “microsoft corporation” and the value Model adjusted to an upper case contains “VIRTUAL”;
- The value Model contains “VirtualBox”;
- The malicious program checks all returned objects for a match of a parameter name with a string “HypervisorPresent”.
The Trojan also checks the availability of the following modules loaded into the process:
- cmdvrt32.dll
- SxIn.dll
- SbieDll.dll
- Sf2.dll
- snxhk.dll
The Trojan has the following functional possibilities:
- Execution of DDoS attacks (HTTP, UDP);
- Search for files on the C drive;
- Creation of files;
- File downloading;
- Upload of files to a remote server;
- Execution of commands on an infected machine;
- Creation of the indicated registry key;
- Check for the availability of a running process with the indicated name.