W32/RemLoad.A!tr
Analysis
W32/RemLoad.A!tr - 06-08-02
General Info:
This threat is a "PE" executable file
Network/Internet:
- Other Payloads: Listen on incoming ports
Files:
- Drop files: ".exe" + ".dll" + data
Installation to System:
- When run, it copies itself to:
Upon execution, the trojan performs the following actions : - it drops several files in the undefinedSystemundefined folder, including dll, exe and text files ; - it deletes the original file.
More Info:
This trojan first drops several files in the directory : - 'checkreg.exe' ; - 'iisload.dll' ; - 'wsl11328.dll' ; - 's32l.txt' ; - 'ws386l.ini'. and then runs 'checkreg.exe'. The dll files are injected into the Explorer process to open a backdoor and connect servers from a list of hardcoded IP addresses. Both text files, 's32l.txt' and 'ws386l.ini', contain obfuscated data, used by 'checkreg.exe'. The dropper also creates a run entry in the registry for 'checkreg.exe' to be launched at each boot.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |