Threat behavior
TrojanDownloader:Win32/Dabvegi.A is a detection for a trojan that downloads and executes arbitrary files.
Infection
When executed, the malware creates the following folder:
It then drops and executes a copy of itself as "<malware name>.exe" in this folder.
The malware also adds itself to the firewall-authorized applications list; it does this by dropping a randomly named batch file, for example "vdxxonfbk.bat" in the same folder. This batch file runs the following command:
netsh.exe firewall add allowedprogram PROGRAM="%temp%\mkii\<malware name>.exe" NAME="lvideo" MODE=ENABLE PROFILE=ALL
Note: After downloading, the malware may remove itself from the firewall-authorized applications list.
Payload
Downloads and executes arbitrary files
The malware contacts various domains to download and execute arbitrary files, for example:
- berlinhanin.org
- epiaget.com
- epiaget.com
- yak1004.wo.to
At the time of writing, the malware was seen downloading variants of the Trojan:Win32/Dabvegi family.
Analysis by Ray Roberts
Prevention
