Win32/Redcontrole [Threat Name] go to Threat

Win32/Redcontrole.T [Threat Variant Name]

Category trojan
Size 3197952 B
Aliases Trojan.Win32.Pakes.apwg (Kaspersky)
  Trojan.PWS.Steam.6832 (Dr.Web)
  Infostealer.Limitail (Symantec)
  PWS:MSIL/Stimilini.M (Microsoft)
Short description

Win32/Redcontrole.T serves as a backdoor. It can be controlled remotely.


When executed, the trojan creates the following files:

  • %appdata%\­am.exe  (1052160 B, MSIL/Injector.MBZ)
  • %appdata%\­bldevic.exe (1333248 B, Win32/Redcontrole.T)

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "bldevic.exe" = "%appdata%\­bldevic.exe"

The trojan may create the following files:

  • %appdata%\­wuacult.exe
  • %startup%\­Securit—É Updater.lnk

The trojan may create and run a new thread with its own program code within any running process.

Information stealing

The trojan collects the following information:

  • computer IP address
  • computer name
  • list of disk devices and their type
  • list of files/folders on a specific drive
  • list of running processes
  • webcam video/voice

The trojan is able to log keystrokes.

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URL addresses. The HTTP, UDP protocol is used in the communication.

It may perform the following actions:

  • block keyboard and mouse input
  • simulate mouse activity
  • simulate user's input (clicks, taps)
  • capture screenshots
  • capture webcam picture
  • terminate running processes
  • run executable files
  • manipulate application windows
  • set file attributes
  • create folders
  • create files
  • delete files
  • rename files
  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • performing DDoS attacks
  • uninstall itself

Please enable Javascript to ensure correct displaying of this content and refresh this page.