Win32/RpcBrute [Threat Name] go to Threat

Win32/RpcBrute.C [Threat Variant Name]

Category trojan
Short description

Win32/RpcBrute.C is a trojan that steals sensitive information.


When executed, the trojan copies itself into the following location:

  • %appdata%\­Microsoft\­Protect\­conhost.exe

The file is then executed.

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Console Protect Service" = "%appdata%\­Microsoft\­Protect\­conhost.exe"

After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a URL address. The HTTP protocol is used.

It connects to remote machines in attempt to exploit the WordPress XMLRPC vulnerability.

The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services

The trojan attempts to send gathered information to a remote machine.

Please enable Javascript to ensure correct displaying of this content and refresh this page.