Win32/Redcontrole [Threat Name] go to Threat

Win32/Redcontrole.U [Threat Variant Name]

Category trojan
Size 652484 B
Detection created Sep 28, 2015
Detection database version 12322
Aliases Trojan:Win32/Dynamer!ac (Microsoft)
  Trojan.DownLoader16.48227 (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan creates the following files:

  • %temp%\­nvsetting.exe (924160 B, Win32/Redcontrole.U)
  • %temp%\­11029480_879523602118805_5731987883484353477_n.jpg (33470 B)

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "nvsetting.exe" = "%temp%\­nvsetting.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall\­Установка Рисунок JPG]
    • "DisplayName" = "Установка Рисунок JPG"
    • "DisplayVersion" = "JPG"
    • "VersionMajor" = 0
    • "VersionMinor" = 0
    • "Publisher" = "Microsoft"
    • "DisplayIcon" = "%programfiles%\­Microsoft\­Установка Рисунок\­Uninstall.exe"
    • "UninstallString" = "%programfiles%\­Microsoft\­Установка Рисунок\­Uninstall.exe"
    • "URLInfoAbout" = "http://www.microsoft.com/"
    • "HelpLink" = "mailto:support@microsoft.com"
    • "InstallLocation" = "%programfiles%\­Microsoft\­Установка Рисунок\­"
    • "InstallSource" = "%malwarefolder%"
    • "InstallDate" = "%variable%"
    • "Language = 1049
    • "EstimatedSize" = 935
    • "NoModify" = 1
    • "NoRepair" = 1

A string with variable content is used instead of %variable% .

Information stealing

The trojan is able to log keystrokes.


The trojan attempts to send gathered information to a remote machine. The HTTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The TCP protocol is used in the communication.


It can execute the following operations:

  • simulate user's input (clicks, taps)
  • capture screenshots
  • capture webcam picture
  • turn the display off
  • block keyboard and mouse input
  • uninstall itself
  • download files from a remote computer and/or the Internet
  • run executable files
  • send requested files
  • send the list of disk devices and their type to a remote computer
  • send the list of files on a specific drive to a remote computer
  • set file attributes
  • create folders
  • delete folders
  • delete files

The trojan executes the following files:

  • %temp%\­11029480_879523602118805_5731987883484353477_n.jpg

Please enable Javascript to ensure correct displaying of this content and refresh this page.