Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen


Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86



Added to the Dr.Web virus database: 2023-05-12

Virus description added:

Packer: absent

SHA1 hash:

  • 8c54df8f11f9cca98fd91fc8bf35c8763274e59e (python39.dll)


Trojan.Fruity.1 is a multi-component trojan downloader that installs other malware onto computers running Microsoft Windows. It is a modified copy of a legitimate python39.dll library from the Python programming language package. Attackers embed malicious code into this copy. It can reach target devices in various ways. For example, it can be distributed as part of malicious installers of harmless software, which contain all the trojan’s components and copy them into the system during installation.

Operating routine

When all the necessary components are copied onto a target computer, Trojan.Fruity.1 infects the system in several stages.

Stage 1

A trojanized version of the python39.dll library is launched by the legitimate app python.exe. It then searches the functions of the ntdll.dll and kernel32.dll libraries it needs, using the CRC32 hashes of these functions’ names. Next, it decrypts the contents of the idea.mp3 file, using XOR algorithm and a key located within the first 200 bytes of the file. Resulting is a compressed data massive and a shellcode for the next stage.

This library also reads the contents of the idea.cfg file. At the beginning of this file is the string fruit.png, containing information about the payload location for the second stage. This string can be a web link for downloading the target file from the Internet, or a path to a local file.

After these steps, the control is passed to the shellcode.

Stage 2

The shellcode decompresses the data massive, using the RtlDecompressBuffer function. Resulting is a .dll library. Next, shellcode launches a cmd.exe Windows command-line tool in a suspended state, for which the CREATE_SUSPENDED flag is used. It then writes the following information into the memory section of the created process:

  • the fruit.png string;
  • the shellcode for the Stage 3;
  • a memory region with the data for this shellcode (a context for its operation).

Next, in the image of the decompressed .dll library, a patch is made that points to the context address in the process. To do so, a B8CBCBCBCB value is replaced with a B8<the address of the context beginning> value. After that, this library is injected into the cmd.exe process, whose operation is resumed. In the end, the control is passed to this library.

Stage 3

The .dll library injected into the cmd.exe verifies which string was received in the previous stage. If this string starts with the http abbreviature, it tries downloading a target file from the Internet, using the corresponding link. It uses the BITS service first; if that fails, it uses a WinINet API interface. If the beginning of this string has no http abbreviature, it is considered a path to a local file. In this particular case, the target is the local fruit.png file. This file is moved to the %TEMP%\\<rnd>.png, where <rnd.png> is a random 8-symbol hexadecimal number.

Next, the library runs Stage 3 shellcode at the 0x7610 address, transferring the path to a .png file as an argument to it. This shellcode decrypts the image, in which several malicious objects are hidden using steganography. These objects are two .dll libraries and the shellcode for executing Stage 4. The decrypted contents are written into the operating memory.

Stage 4

The shellcode from the fruit.png image verifies the active processes and searches among them for anti-virus software processes by their hash sums. It then tries to bypass their detection and also tries to prevent a possible debugging process.

Next, an injection attempt is executed for the msbuild.exe process. In case of failure, the attempt is repeated for the cmd.exe and notepad.exe processes. The Process Hollowing method is used to inject one of the two .dll libraries decoded earlier from the fruit.png image. The shellcode to initialize Sage 5 is also injected.

After that, a .dll file with a random name is created in the %TEMP% temporary directory. The contents of the second .dll library decoded from the fruit.png image are then copied into this file. Then this file is injected into the target process, but this time using the Process Doppelgänging method. This file is the Remcos RAT (Trojan.Inject4.57973) spyware trojan.

Stage 5

The shellcode injected at the previous stage into the target process puts a legitimate python.exe program into the Windows Autostart and additionally creates a task to launch it in the system scheduler. This program is also added to the scanning exclusions of the Windows Defender built-in Windows anti-virus.

Then, random data is written into the end of the python39.dll trojan file, which changes its hash sum. Moreover, its creation date and time are also modified.

More details on Trojan.Inject4.57973

News about the trojan

Indicators of compromise

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android