Win32/Bredolab is a downloader which is able to download and execute arbitrary files from a remote host.
Win32/Bredolab has changed its method of installation over time. When older variants of Win32/Bredolab are executed, they copy themselves to one of the following locations, converting their EXE to a DLL:
Win32/Bredolab contacts a remote host, and receives a response from the master server that contains at least one encrypted binary. Downloaded binaries are decrypted and executed.
Win32/Bredolab may use a randomly named file name for downloaded binaries on the local machine. Binaries may be saved to the following location:
In the wild, Win32/Bredolab has been observed to contact the following control servers: 18.104.22.16822.214.171.124126.96.36.199188.8.131.52184.108.40.206dollarpoint.ruimoviemax.rumudstrang.ruvanni-van.cngssmedia.cnwww.qoeirq.com
The following list details just a small selection of the malware known to be downloaded by variants of Win32/Bredolab:
Some variants of Win32/Bredolab may create the following file during execution:
Several variants of Win32/Bredolab have been the focus of various spam mass-mailings. Here is a selection of an e-mail, used in the wild, to distribute Bredolab onto user's computers:
Example email #1
Subject: Postal Tracking #IARN863188FLP4G
We were not able to deliver postal package you sent on the 14th of March in timebecause the recipient's address is not correct.Please print out the invoice copy attached and collect the package at our office.
Your United Parcel Service of America
Example email #2
Subject: Shipping confirmation for order -08244007
Thank you for shopping at our internet shop!We have successfully received your payment.Your order has been shipped to your billing address. You have ordered Samsung GO N310-13G. You can find your tracking number in attached to the e-mail document. Please print the label to get your package.We hope you enjoy your order!