Win32/McRat [Threat Name] go to Threat
Win32/McRat.A [Threat Variant Name]
| Category | trojan |
| Size | 41984 B |
| Aliases | Trojan-Dropper.Win32.Agent.bkvs (Kaspersky) |
| Trojan.Hydraq (Symantec) | |
| Backdoor:Win32/Mdmbot.D (Microsoft) |
Short description
Win32/McRat.A is a trojan which tries to download other malware from the Internet.
Installation
When executed, the trojan creates the following files:
- %userprofile%\%service%.dll (31744 B)
A string with variable content is used instead of %service% .
The trojan registers itself as a system service using the following name:
- %variable%
A string with variable content is used instead of %variable% .
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%service%\Parameters]
- "StubPath" = "%filepath%"
- "ServiceDll" = "%userprofile%\%service%.dll"
The trojan creates and runs a new thread with its own program code within the following processes:
- McpRoXy.exe
Information stealing
The trojan collects the following information:
- operating system version
- CPU information
- computer name
- user name
- passwords
The trojan can send the information to a remote machine.
The trojan contains a list of (1) URLs. The HTTP protocol is used.
Other information
The trojan acquires data and commands from a remote computer or the Internet. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
The trojan may create the following files:
- %temp%\%number%.bak
- %temp%\%computername%.ax
- %temp%\%computername%_p.ax
- %temp%\uid.ax
A string with variable content is used instead of %number%, %computername% .
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
- "%service%" = "%service%"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%service%" = "rundll32.exe "%profile%\%service%.dll", Launch"