Win32/BrutPOS [Threat Name] go to Threat

Win32/BrutPOS.A [Threat Variant Name]

Category trojan
Size 13824 B
Aliases Trojan.Win32.Swisyn.dfoh (Kaspersky)
  Trojan:Win32/Tibrun.A (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %appdata%\­winlogon.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­­Software\­­Microsoft\­­Windows\­­CurrentVersion\­­Run]
    • "Run" = "%appdata%\­winlogon.exe"

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan gathers information related to the following services:

  • RDP (Remote Desktop Protocol)

The trojan contains a list of passwords that are tried when accessing remote machines.

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a URL address. The HTTP protocol is used in the communication.

It can execute the following operations:

  • update itself to a newer version
  • uninstall itself
  • send gathered information

The trojan may create the following files:

  • %appdata%\­ip.sys

Please enable Javascript to ensure correct displaying of this content and refresh this page.