Win32/TrojanDownloader.Agent.DWX [Threat Name] go to Threat

Win32/TrojanDownloader.Agent.DWX [Threat Variant Name]

Category trojan
Size 211968 B
Detection created Mar 14, 2018
Detection database version 17055
Aliases Trojan-Banker.Win32.Emotet.aiwv (Kaspersky)
  Trojan.DownLoader26.35485 (Dr.Web)
Short description

Win32/TrojanDownloader.Agent.DWX is a trojan which tries to download other malware from the Internet. The trojan can interfere with the operation of certain applications.

Installation

The trojan does not create any copies of itself.


The trojan creates the following file:

  • %malwarefolder%\­%malwarefilename%.inf

The file contains the path to the malware executable.


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­IEAK\­GroupPolicy\­PendingGPOs]
    • "Count" = 1
    • "Path1" = "%malwarefolder%\­%malwarefilename%.inf"
    • "Section1" = "DefaultInstall"

This causes the trojan to be executed on every system start.

Other information

The trojan tries to download other malware from the Internet.


The trojan contains a list of (6) URLs. The HTTP protocol is used in the communication.


The trojan may create the following files in the %malwarefolder% folder:

  • %randomnumber%.bat
  • gootkit.exe.update

The trojan may delete the following files:

  • %profiles%\­%existingfolder%\­AppData\­Local\­Temp\­uqjckeguhl.tmp
  • %profiles%\­%existingfolder%\­Local Settings\­Temp\­uqjckeguhl.tmp
  • %profiles%\­%existingfolder%\­Local Settings\­Temp\­*.*
  • %profiles%\­%existingfolder%\­AppData\­Local\­Temp\­*.*

The trojan monitors network traffic on the following ports:

  • 80
  • 443

The trojan can modify network traffic.


The trojan affects the behavior of the following applications:

  • Mozilla Firefox

The trojan terminates its execution if it detects that it's running in a specific virtual environment.


The trojan quits immediately if the computer name is one of the following:

  • Sandbox
  • CurrentUser

The trojan quits immediately if the computer name is one of the following:

  • 7SILVIA
  • SANDBOX

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­AppDataLow]
    • "BinaryImage32_%number%" = %hexvalue%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion]
    • "RegId" = %randomnumber%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "2500" = 3
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "2500" = 3
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "2500" = 3
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "2500" = 3
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­4]
    • "2500" = 3
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­5]
    • "2500" = 3

The variable %number% represents a number in the range 0 - 49 .


The %randomnumber% represents a random number.


The trojan hooks the following Windows APIs:

  • CertGetCertificateChain (crypt32.dll)
  • CertVerifyCertificateChainPolicy (crypt32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.