Win32/Napolar [Threat Name] go to Threat

Win32/Napolar.A [Threat Variant Name]

Category trojan
Size 105472 B
Aliases Trojan-Dropper.Win32.Dapato.dbvf (Kaspersky)
  Trojan:Win32/Napolar.A (Microsoft)
  Win32:Napolar-F (Avast)
Short description

The trojan serves as a backdoor.

It can be controlled remotely. It uses techniques common for rootkits.


When executed, the trojan copies itself into the following location:

  • %startup%\­lsass.exe

This causes the trojan to be executed on every system start.

The trojan creates the following folders:

  • %appdata%\­SlrPlugins\­

The trojan creates and runs a new thread with its own program code in all running processes.

Information stealing

Win32/Napolar.A is a trojan that steals sensitive information.

The trojan collects the following information:

  • computer name
  • user name

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a URL address. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • monitor network traffic
  • perform DoS/DDoS attacks
  • open a specific URL address
  • set up a proxy server

The trojan hides its presence in the system.

The trojan hooks the following Windows APIs:

  • DbgUiRemoteBreakin (ntdll.dll)
  • KiUserExceptionDispatcher (ntdll.dll)
  • ZwQueryDirectoryFile (ntdll.dll)
  • ZwResumeThread (ntdll.dll)
  • ZwSetValueKey (ntdll.dll)
  • send (ws2_32.dll)

The trojan contains both 32-bit and 64-bit program components.

Please enable Javascript to ensure correct displaying of this content and refresh this page.