マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話

03-6550-8770

Profile

Trojan.DownLoader49.35384

Added to the Dr.Web virus database: 2026-02-21

Virus description added:

SHA1:

  • bb64ea9dd561db41253814587f22985f51f9ad17

Description

A phase 1 trojan in a multi-phase infection sequence that facilitates data theft, clipboard contents monitoring, backdoor deployment, rogue mining and infecting other files.

This trojan initiates the entire infection sequence.

Operation

Files of various legitimate applications having a similar structure are found on the Internet. A global object is introduced into the original executable file. As soon as the trojanized application starts to be executed, the malware takes advantage of the PEB walking technique to gain access to system APIs. Next, the standard initterm method walks the table of function pointers and initializes them. One of these functions is malicious and runs a PowerShell command. It downloads and executes the phase 2 malware — Trojan.DownLoader49.35687. In some versions of the trojan, this payload is encrypted.

#drweb

#drweb

MITRE ATT@CK MATRIX

Tactic Technique
Executor

Command and scripting interpreter (T1059)

PowerShell (T1059.001)

User execution (T1204)

Stealth

Obfuscated files or information (T1027)

Masquerading (T1036)

Command and Control Application layer protocol (T1071)

More about Trojan.DownLoader49.35687
More about BackDoor.Siggen2.5906
More about Trojan.BtcMine.3956
Indicators of Compromise
Trojan review publication

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android