Trojan.DownLoader46.54596

Техническая информация

Вредоносные функции

Запускает на исполнение

'<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerUI.exe
'<SYSTEM32>\taskkill.exe' /f /im Ida64.exe
'<SYSTEM32>\taskkill.exe' /f /im x32dbg.exe
'<SYSTEM32>\taskkill.exe' /f /im x64dbg.exe
'<SYSTEM32>\taskkill.exe' /f /im OllyDbg.exe
'<SYSTEM32>\taskkill.exe' /f /im HTTP Debugger Windows Service (32 bit).exe
'<SYSTEM32>\taskkill.exe' /f /im cheatengine-i386.exe
'<SYSTEM32>\taskkill.exe' /f /im MugenJinFuu-i386.exe
'<SYSTEM32>\taskkill.exe' /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
'<SYSTEM32>\taskkill.exe' /f /im cheatengine-x86_64-SSE4-AVX2.exe
'<SYSTEM32>\taskkill.exe' /f /im cheatengine-x86_64.exe
'<SYSTEM32>\taskkill.exe' /f /im Cheat Engine.exe
'<SYSTEM32>\taskkill.exe' /f /im de4dot.exe
'<SYSTEM32>\taskkill.exe' /f /im Xenos32.exe
'<SYSTEM32>\taskkill.exe' /f /im Xenos.exe
'<SYSTEM32>\taskkill.exe' /f /im Xenos64.exe
'<SYSTEM32>\taskkill.exe' /f /im FiddlerEverywhere.exe
'<SYSTEM32>\taskkill.exe' /f /im Fiddler.exe
'<SYSTEM32>\taskkill.exe' /f /im Wireshark.exe
'<SYSTEM32>\taskkill.exe' /f /im idaq64.exe
'<SYSTEM32>\taskkill.exe' /f /im idaq.exe
'<SYSTEM32>\taskkill.exe' /f /im ProcessHacker.exe
'<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerSvc.exe
'<SYSTEM32>\taskkill.exe' /f /im KsDumper.exe
'<SYSTEM32>\taskkill.exe' /f /im KsDumperClient.exe
'<SYSTEM32>\taskkill.exe' /f /im mafiaengine-x86_64-SSE4-AVX2.exe
'<SYSTEM32>\taskkill.exe' /f /im Dbg64.exe
'<SYSTEM32>\taskkill.exe' /f /im Dbg32.exe

Изменения в файловой системе

Создает следующие файлы

nul
%WINDIR%\temp\tar858f.tmp
%WINDIR%\temp\cab858e.tmp
%WINDIR%\temp\tar6f6e.tmp
%WINDIR%\temp\cab6f6d.tmp
%WINDIR%\temp\tar6eff.tmp
%WINDIR%\temp\cab6eef.tmp
%WINDIR%\temp\tar58a0.tmp
%WINDIR%\temp\cab589f.tmp
%WINDIR%\temp\tar5802.tmp
%WINDIR%\temp\cab5801.tmp
%WINDIR%\temp\tar41b2.tmp
%WINDIR%\temp\cab41b1.tmp
%WINDIR%\temp\tar4124.tmp
%WINDIR%\temp\cabc9e0.tmp
%WINDIR%\temp\cab4123.tmp
%WINDIR%\temp\cab2b02.tmp
%WINDIR%\temp\tar2aa3.tmp
%WINDIR%\temp\cab2aa2.tmp
%WINDIR%\temp\tar2a63.tmp
%WINDIR%\temp\cab2a62.tmp
%WINDIR%\temp\tar29e4.tmp
%WINDIR%\temp\cab29d4.tmp
%WINDIR%\temp\tar1385.tmp
%WINDIR%\temp\cab1384.tmp
%WINDIR%\temp\tar1306.tmp
%WINDIR%\temp\cab1305.tmp
%WINDIR%\temp\tarfbbd.tmp
%WINDIR%\temp\cabfbbc.tmp
%WINDIR%\temp\tar2b03.tmp
%WINDIR%\temp\tarc9e1.tmp

Удаляет следующие файлы

%WINDIR%\temp\cabfbbc.tmp
%WINDIR%\temp\tar858f.tmp
%WINDIR%\temp\cab858e.tmp
%WINDIR%\temp\tar6f6e.tmp
%WINDIR%\temp\cab6f6d.tmp
%WINDIR%\temp\tar6eff.tmp
%WINDIR%\temp\cab6eef.tmp
%WINDIR%\temp\tar58a0.tmp
%WINDIR%\temp\cab589f.tmp
%WINDIR%\temp\tar5802.tmp
%WINDIR%\temp\cab5801.tmp
%WINDIR%\temp\tar41b2.tmp
%WINDIR%\temp\cab41b1.tmp
%WINDIR%\temp\tar4124.tmp
%WINDIR%\temp\cab4123.tmp
%WINDIR%\temp\tar2b03.tmp
%WINDIR%\temp\cab2b02.tmp
%WINDIR%\temp\tar2aa3.tmp
%WINDIR%\temp\cab2aa2.tmp
%WINDIR%\temp\tar2a63.tmp
%WINDIR%\temp\cab2a62.tmp
%WINDIR%\temp\tar29e4.tmp
%WINDIR%\temp\cab29d4.tmp
%WINDIR%\temp\tar1385.tmp
%WINDIR%\temp\cab1384.tmp
%WINDIR%\temp\tar1306.tmp
%WINDIR%\temp\cab1305.tmp
%WINDIR%\temp\tarfbbd.tmp
%WINDIR%\temp\cabc9e0.tmp
%WINDIR%\temp\tarc9e1.tmp

Сетевая активность

Подключается к

'localhost':49185
'localhost':49187
'ke##uth.win':443
'x1.#.lencr.org':80
'x2.#.lencr.org':80

TCP

Запросы HTTP GET

http://x1.#.lencr.org/
http://x2.#.lencr.org/

Другие

'localhost':49185
'localhost':49187
'localhost':49188
'ke##uth.win':443

UDP

DNS ASK ke##uth.win
DNS ASK x1.#.lencr.org
DNS ASK x2.#.lencr.org

Другое

Ищет следующие окна

ClassName: '' WindowName: ''

Запускает на исполнение

'<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im OllyDbg.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im x64dbg.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im x32dbg.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im Ida64.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im Dbg64.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c certutil -hashfile "<Полный путь к файлу>" MD5 | find /i /v "md5" | find /i /v "certutil"
'<SYSTEM32>\certutil.exe' -hashfile "<Полный путь к файлу>" MD5
'<SYSTEM32>\find.exe' /i /v "md5"
'<SYSTEM32>\find.exe' /i /v "certutil"
'<SYSTEM32>\cmd.exe' /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
'<SYSTEM32>\cmd.exe' /c taskkill /f /im Dbg32.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c Color 5
'<SYSTEM32>\cmd.exe' /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im KsDumperClient.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im KsDumper.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im ProcessHacker.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im idaq.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im idaq64.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im Wireshark.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im Xenos64.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im Xenos.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im Xenos32.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im de4dot.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im Cheat Engine.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /c taskkill /f /im Fiddler.exe >nul 2>&1
'<SYSTEM32>\cmd.exe' /C "color b && title Error && echo SSL connect error && timeout /t 5"
'<SYSTEM32>\timeout.exe' /t 5