A downloader Trojan that infects devices running Microsoft Windows. The first layer of malware packing decodes the second layer and transfers control to it. The second layer decodes the Trojan in pre-allocated memory and transfers control to it.
The malicious program contains two URLs that are stored unencrypted. At the time of the research, when accessing these URLs, identical encrypted files were downloaded. Malware is also able to download unencrypted files.
Once launched, the Trojan checks for administrative privileges. If privileges are not granted, it launches itself using runas. The Trojan attempts to delete the source file either using MoveFileEx, or using a .bat file, then quits. If administrative privileges are granted, the Trojan performs a payload, attempts to delete the source file using MoveFileEx or a .bat file, then quits.
When accessing servers for downloading a payload, it uses the User-Agent, which contains information about the version of the operating system and its bit capacity. For example, for 64-bit Windows 10 operating system, the following User-Agent is used:
User-Agent: Mozilla / 5.0 (Windows NT 6.2; Win64)
The downloaded file is saved under a random name in the %TEMP% folder, loaded onto memory, the original file is then deleted, following that the memory contents are again saved as a file in the % TEMP% folder under a random name. This executable file is then loaded onto memory again, deleted from the disk and launched from memory. As a downloadable payload, a malicious file has been identified and added to the Dr. Web virus database was Trojan.LoadMoney.3558.