Win32/TrojanDownloader.Blackmoon [Threat Name] go to Threat

Win32/TrojanDownloader.Blackmoon.C [Threat Variant Name]

Category trojan
Size 100352 B
Detection created Mar 17, 2016
Detection database version 13194
Aliases Trojan.Win32.Reconyc.ewwd (Kaspersky)
Short description

Win32/TrojanDownloader.Blackmoon.C is a trojan which tries to download other malware from the Internet. The file is run-time compressed using ASPack .

Installation

The trojan does not create any copies of itself.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­kmixer\­Enum]
    • "Count" = 1
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­kmixer\­Enum]
    • "Count" = 1
    • "NextInstance" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Check_Associations" = "no"

The trojan can modify the following file:

  • C:\­windows\­system32\­drivers\­etc\­hosts
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (7) URLs. The HTTP protocol is used in the communication.


Win32/TrojanDownloader.Blackmoon.C can open pages in web browser.


The trojan may attempt to download files from the Internet.


The files are stored in the following locations:

  • C:\­Windows\­Temp\­svch%variable%.exe

The files are then executed.


A string with variable content is used instead of %variable% .


Then the trojan deletes these files.


The trojan executes the following files:

  • iexplore.exe

The trojan can terminate the following processes:

  • iexplore.exe

The trojan then removes itself from the computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.