FINALDRAFT Malware

What kind of malware is FINALDRAFT?

FINALDRAFT is malware written in the C++ programming language. It is designed for data exfiltration and process injection. It has additional modules that it can inject into systems. FINALDRAFT is typically delivered through PATHLOADER, another piece of malware. Once executed, FINALDRAFT can carry out its activities by communicating with command-and-control servers.

FINALDRAFT malware

More about FINALDRAFT

FINALDRAFT uses Microsoft Graph API through Outlook to communicate with a command-and-control server. It stores a key in the registry to maintain communication with its C2. The malware supports over 30 command handlers to execute tasks such as process injection, file manipulation, and network proxying.

Some key commands include gathering computer info, controlling TCP connections, file operations (e.g., downloading, uploading, moving), and process management (e.g., terminating processes, injecting processes). These handlers enable attackers to manipulate files, monitor system activity, and establish control over infected machines for remote operations.

When FINALDRAFT runs the command intended to gather computer information, it collects data such as the computer name, username, IP addresses, and details about running processes. Also, it can secretly insert harmful code into programs already running on a computer, or it can create new, hidden programs to inject the code into.

After injecting the code, it can collect information from the process and send it back to the attacker. It uses basic Windows functions to perform this action.

Furthermore, FINALDRAFT's file manipulation capabilities include securely deleting and copying files. When deleting files, it makes sure the data is erased by overwriting it with zeros, preventing recovery. For file copying, it first tries the normal method, but if that does not work, it copies data directly at the disk's cluster level.

FINALDRAFT malware also has additional modules, including one for network enumeration that gathers details and sends them via a password-protected pipe. Another module allows for stealthy execution of PowerShell commands while bypassing security measures. It also features a Pass-the-Hash tool to execute processes using stolen credentials.

Lastly, it is known that there is an ELF version of the FINALDRAFT malware for Linux with different protocols and fewer features.

Threat Summary:
Name	FINALDRAFT malicious software
Threat Type	Malware
Detection Names	Avast (Win64:AutoHotLoader-A [Drp]), Combo Cleaner (Generic.ShellCode.RDI.Marte.10.793299A0), Emsisoft (Generic.ShellCode.RDI.Marte.10.793299A0 (B)), Kaspersky (HEUR:Trojan.Multi.Shellcode.gen), Symantec (Trojan Horse), Full List (VirusTotal)
Symptoms	Trojans are designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine.
Distribution methods	Infected email attachments, malicious online advertisements, social engineering, software 'cracks'.
Damage	Stolen passwords and banking information, identity theft, the victim's computer added to a botnet.
Malware Removal (Windows)	To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. Download Combo Cleaner To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Possible damage

FINALDRAFT malware allows cybercriminals to gain control of infected systems by stealing sensitive information, injecting malicious code, and remotely executing commands. It can perform tasks such as manipulating files, managing processes, and collecting system data. Victims may experience data loss, system instability, unauthorized access to sensitive information, and other issues.

How did FINALDRAFT infiltrate my computer?

Threat actors were observed delivering FINALDRAFT through a loader known as PATHLOADER. The exact method of delivery for PATHLOADER is not clear. However, cybercriminals are likely to distribute it through emails containing malicious attachments or links, technical support scams, pirated software (or cracking tools, keygens), or malicious ads.

They may also deliver malware through software vulnerabilities, infected USB drives, P2P networks, deceptive or compromised websites, and similar channels.

How to avoid installation of malware?

Download software from trusted platforms like official app stores, and never download pirated/cracked software, cracking tools, keygens, etc. Be cautious of pop-ups, advertisements, or links on shady websites, and do not permit such pages to show notifications. Regularly update the operating system and installed programs.

Do not open files (attachments) and links in irrelevant, unexpected, or similar emails from unknown senders. Also, use a reliable security tool. If you believe that your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.

Instant automatic malware removal:

Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:

DOWNLOAD Combo Cleaner

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Quick menu:

What is FINALDRAFT?
STEP 1. Manual removal of FINALDRAFT malware.
STEP 2. Check if your computer is clean.

How to remove malware manually?

Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Combo Cleaner Antivirus for Windows.

If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:

Malware process running in the Task Manager

If you checked the list of programs running on your computer, for example, using task manager, and identified a program that looks suspicious, you should continue with these steps:

manual malware removal step 1 Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:

Autoruns application appearance

manual malware removal step 2 Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Run Windows 7 or Windows XP in Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup.

Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings".

Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Run Windows 8 in Safe Mode with Networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options".

In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

Run Windows 10 in Safe Mode with Networking

Video showing how to start Windows 10 in "Safe Mode with Networking":

manual malware removal step 3 Extract the downloaded archive and run the Autoruns.exe file.

Extract Autoruns.zip archive and run Autoruns.exe application

manual malware removal step 4 In the Autoruns application, click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.

Refresh Autoruns application results

manual malware removal step 5 Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".

Delete malware in Autoruns

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.

Search for malware and delete it

Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs.

These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software. To be sure your computer is free of malware infections, we recommend scanning it with Combo Cleaner Antivirus for Windows.

Frequently Asked Questions (FAQ)

My computer is infected with FINALDRAFT malware, should I format my storage device to get rid of it?

While formatting your storage device can remove FINALDRAFT malware, it can lead to permanent data loss. A safer approach is to use trusted malware removal software, like Combo Cleaner, to scan and clean your system without losing valuable files.

What are the biggest issues that malware can cause?

Malware infiltration can lead to serious consequences, including identity theft, financial losses, system slowdowns, further infections, and data encryption. The extent of the damage depends on the specific type of malware and its features.

What is the purpose of FINALDRAFT malware?

FINALDRAFT can steal sensitive information, inject malicious code into running processes, and perform actions like data exfiltration.

How did FINALDRAFT infiltrate my computer?

FINALDRAFT is delivered through the loader PATHLOADER. Cybercriminals may distribute PATHLOADER via emails with malicious attachments or links, technical support scams, pirated software, malicious ads, or software vulnerabilities. Other channels can be infected USB drives, P2P networks, and compromised websites.

Will Combo Cleaner protect me from malware?

Combo Cleaner is effective at detecting and removing most known malware. However, some advanced malware may hide deep within the system. Running a full system scan ensures thorough detection and removal of these hidden threats.