Win32/TrojanDownloader.Tracur [Threat Name] go to Threat
Win32/TrojanDownloader.Tracur.AM [Threat Variant Name]
Category | trojan |
Size | 268800 B |
Aliases | Trojan:Win32/Chroject.D!dll (Microsoft) |
TR/Tracur.A.6311 (Avira) |
Short description
Win32/TrojanDownloader.Tracur.AM is a trojan which tries to download other malware from the Internet. The trojan is usually a part of other malware.
Installation
When executed, the trojan copies itself into the following location:
- %localappdata%\%existingfolder%\%variable2%\Application Data\%variable1%.dll
A string with variable content is used instead of %variable1-5% .
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable1%" = "%system%\regsvr32.exe /s "%localappdata%\%existingfolder%\%variable2%\Application Data\%variable1%.dll""
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable1%" = "%system%\regsvr32.exe /s "%localappdata%\%existingfolder%\%variable2%\Application Data\%variable1%.dll""
The trojan quits immediately if it detects a running process containing one of the following strings in its name:
- autoruns
- filemon
- joeboxcontrol
- joeboxserver
- procexp
- procmon
- regmon
- sniff_hit
- sysAnalyzer
- VBoxService
- vboxtray
- vmount2
- vmsrvc
- vmusrvc
- vmware
- wireshark
- xenservice
The trojan creates the following files:
- %localappdata%\%exisitngfolder%\%variable3%\%variable4%\%variable5%.js (5680 B)
- %localappdata%\%existingfolder%\%variable3%\%variable4%\manifest.json (199 B)
The trojan installs browser extensions for the following browsers:
- Google Chrome
The trojan creates and runs a new thread with its own program code within the following processes:
- chrome.exe
The trojan terminates its execution if it detects that it's running in a specific virtual environment. The trojan launches the following processes:
- %system%\regsvr32.exe /s "%malwarefilepath%"
The trojan may execute the following commands:
- %system%\regsvr32.exe /s /u "%malwarefilepath%"
- cmd.exe /c start regsvr32.exe "%malwarefilepath%"
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (7) URLs. The trojan generates various URL addresses. The HTTP protocol is used.
The trojan checks for Internet connectivity by trying to connect to the following servers:
- http://www.update.microsoft.com/
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- modify the content of websites
The trojan hooks the following Windows APIs:
- CreateWindowExW (user32.dll)
- GetAddrInfoW (ws2_32.dll)
- GetCursorPos (user32.dll)
- GetMessagePos (user32.dll)
- GetMessageW (user32.dll)
- GetSaveFileNameW (comdlg32.dll)
- GetTempPathW (kernel32.dll)
- GetWindowPlacement (user32.dll)
- GetWindowRect (user32.dll)
- MessageBoxExW (user32.dll)
- MoveWindow (user32.dll)
- PeekMessageW (user32.dll)
- SetCursor (user32.dll)
- SetFocus (user32.dll)
- SetForegroundWindow (user32.dll)
- SetWindowPlacement (user32.dll)
- SetWindowPos (user32.dll)
- SetWindowTextW (user32.dll)
- ShellExecuteExW (shell32.dll)
- SHGetFolderPathW (shell32.dll)
- waveOutWrite (winmm.dll)
The trojan may display the following messages: