Trojan-Downloader:W32/Hiloti

Trojan-Downloader:W32/Hiloti identifies a family of programs that download and execute malicious files onto the affected system.Variants in this family may also be identified as variants in the Trojan-Downloader:W32/Mufanom family.The details below are for a representative variant in the Hiloti family.

Execution

The variant drops a file at %windir% as:

• [random filename][random filename].dll

[random filename]

And loads it using rundll32.exe.The malware then downloads a file[random filename2] from:

• [random filename][random filename2][removed].edvehal.com/GET /get2.php?

And saves it to the following location:

• %windir%\[random filename].dll

[random filename][random filename2]

The malware then performs DNS Query using the infected system's information, for example:

• [random filename][random filename2]0000407015.742c6d13.01.[hash].n.empty.772.empty.5_1._t_i.ffffffff.explorer_exe.154.rc2.[removed]uploading.com

[random filename][random filename2]

Registry Changes

During execution, the malware creates a registry key to create a launchpoint:

• [random filename][random filename2]HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [random value] = rundll32.exe "C:\WINDOWS\[random filename][random filename].dll",Startup

[random filename][random filename2][random filename]

Then it creates random registry keys:

• [random filename][random filename2][random filename]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[random filename]
• [random filename][random filename2][random filename]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[random filename][random filename][random filename2][random filename] [random value][random filename][random filename2][random filename] = 154
• [random filename][random filename2][random filename]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[random filename][random filename][random filename2][random filename] [random value][random filename][random filename2][random filename] = ""
• [random filename][random filename2][random filename]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[random filename][random filename][random filename2][random filename] [random value][random filename][random filename2][random filename] = ""

It also creates 8-character mutexes with random name, such as 4fef8c25, 1dfefa41, and ef485b09.