Win32/Spy.Buhtrap [Threat Name] go to Threat

Win32/Spy.Buhtrap.L [Threat Variant Name]

Category trojan
Size 267224 B
Detection created Dec 13, 2017
Detection database version 16568
Aliases TrojanProxy:Win32/Chrofprox (Microsoft)
  Trojan.Proxy2.434 (Dr.Web)
Short description

Win32/Spy.Buhtrap.L is a trojan that steals passwords and other sensitive information.

Installation

When executed, the trojan creates the following files:

  • %appdata%\­Red Media Player\­LICENSE (16198 B)
  • %appdata%\­Red Media Player\­bin\­config.model.xml (4780 B)
  • %appdata%\­Red Media Player\­bin\­contextMenu.xml (3459 B)
  • %appdata%\­Red Media Player\­bin\­functionList.xml (12337 B)
  • %appdata%\­Red Media Player\­bin\­isbzip.dll (32976 B)
  • %appdata%\­Red Media Player\­bin\­isunzlib.dll (23248 B)
  • %appdata%\­Red Media Player\­bin\­msvcr71.dll (142544 B, Win32/Spy.Buhtrap.L)
  • %appdata%\­Red Media Player\­bin\­rmp.exe (12496 B, Win32/Spy.Buhtrap.L)
  • %appdata%\­Red Media Player\­bin\­zlib.exe (85712 B, Win32/Spy.Buhtrap.L)
  • %appdata%\­Red Media Player\­change.log (450 B)
  • %appdata%\­Red Media Player\­localization\­english.xml (54633 B)
  • %appdata%\­Red Media Player\­localization\­russian.xml (9350 B)
  • %appdata%\­Red Media Player\­readme.txt (1449 B)
  • %appdata%\­Microsoft\­Windows\­Start Menu\­Red Media Player.lnk (1090 B)

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Red Media Player" = "%appdata%\­Red Media Player\­bin\­rmp.exe"

The trojan creates the following files:

  • %appdata%\­Microsoft\­Windows\­Start Menu\­Programs\­Startup\­Red Media Player.lnk

The file is a shortcut to a following file:

  • %appdata%\­Red Media Player\­bin\­rmp.exe

This way the trojan ensures that the file is executed on every system start.

Information stealing

Win32/Spy.Buhtrap.L is a trojan that steals passwords and other sensitive information.


The following information is collected:

  • operating system version
  • hardware information
  • list of running processes
  • data from the clipboard
  • logged keystrokes

The trojan gathers sensitive information from processes which contain any of the following strings in their path:

  • *\­Skype.exe
  • *\­WINWORD.EXE
  • *\­1cv8.exe
  • *\­1cv7s.exe
  • *\­1cv7.exe
  • *\­EXCEL.EXE
  • *\­msimn.exe
  • *\­thunderbird.exe
  • *\­sbis.exe
  • *\­OUTLOOK.EXE

The collected information is stored in the following files:

  • %appdata%\­adobesystem.log
  • %appdata%\­ntuser.dat
Other information

The trojan contains a URL address. The trojan may attempt to download files from the Internet.


The file is stored in the following location:

  • %temp%\­%variable%

A string with variable content is used instead of %variable% .


The file is then executed. The HTTP protocol is used in the communication.

Please enable Javascript to ensure correct displaying of this content and refresh this page.