Win32/Delf.TUA [Threat Name] go to Threat

Win32/Delf.TUA [Threat Variant Name]

Category trojan
Size 178688 B
Detection created Oct 23, 2017
Detection database version 16290
Aliases Trojan.Win32.Agentb.isrj (Kaspersky)
  Trojan.DownLoader25.48494 (Dr.Web)
  TR/Delf.Agent.wbnek (Avira)
Short description

Win32/Delf.TUA is a trojan which tries to download other malware from the Internet.

Installation

The trojan does not create any copies of itself.

Other information

Win32/Delf.TUA is a trojan which tries to download other malware from the Internet.


The trojan contains a URL address.


It tries to download a file from the address.


The file is then executed. The HTTPS protocol is used in the communication.


The trojan creates the following file:

  • %localappdata%\­%computername%.dat

The trojan attempts to delete the following files:

  • %localappdata%\­*.av
  • %appdata%\­*.loc

The trojan may delete the following folders:

  • %appdata%\­SysInit
  • %appdata%\­SysRun

The trojan executes the following commands:

  • schtasks.exe /delete /tn * /f
  • powershell.exe -NoProfile -windowstyle hidden -en "%base64payload%"
  • cmd.exe /c for /l %x in (0; 1; 50) do IF EXIST "%malwarefilepath%" (timeout 1 && del /f /q "%malwarefilepath%") else (exit)

Please enable Javascript to ensure correct displaying of this content and refresh this page.