Home » Virus List
Trojan.Agent
Risk Level 1
 
File Size : 216064 KB
File Type : Portable Executable 32
File Name

83f2235a378929d194ecf7f67f2e2e78

MD5

83f2235a378929d194ecf7f67f2e2e78

SHA1

1542472c42dadfa46765826a9c3221b19b602dfe

SHA256

05d6ad805ddb5345b01f2cea2f3c9f5ddbd3310bd8494ddc0c

General information:

* File name: C:\Users\cognus\Desktop\Autorun_samples\05d6ad805ddb5345b01f2cea2f3c9f5ddbd3310bd8494ddc0cd2d0d7f4a7e6d2.exe

Changes to registry :

* Creates value "(Default)=C:\Users\cognus\AppData\Roaming\DAEMON Tools Lite\sp.DLL" in key HKEY_LOCAL_MACHINE\software\Classes\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}\InProcServer32
binary data=43003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004400410045004D004F004E00200054006F006F006C00730020004C006900740065005C00730070002E0044004C004C000000
* Creates value "ThreadingModel=410070006100720074006D0065006E0074000000" in key HKEY_LOCAL_MACHINE\software\Classes\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}\InProcServer32
* Creates value "(Default)={96AFBE69-C3B0-4b00-8578-D933D2896EE2}" in key HKEY_LOCAL_MACHINE\software\Classes\sp\CLSID
binary data=7B00390036004100460042004500360039002D0043003300420030002D0034006200300030002D0038003500370038002D004400390033003300440032003800390036004500450032007D000000
* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "(Default)={96AFBE69-C3B0-4b00-8578-D933D2896EE2}" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\sp
binary data=7B00390036004100460042004500360039002D0043003300420030002D0034006200300030002D0038003500370038002D004400390033003300440032003800390036004500450032007D000000
* Creates value "{96AFBE69-C3B0-4b00-8578-D933D2896EE2}=730070000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Shell Extensions\Approved
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Creates value "netsvc=53005000530065007200760069006300650000005D000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\SvcHost
* Creates value "Type=00000001" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FsFilter
* Creates value "Start=00000001" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FsFilter
* Creates value "ErrorControl=00000001" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FsFilter
* Creates value "DisplayName=FsFilter" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FsFilter
binary data=46007300460069006C007400650072000000
* Creates value "ImagePath=c:\users\cognus\appdata\roaming\daemon tools lite\rxsupply.sys" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FsFilter
binary data=63003A005C00750073006500720073005C0063006F0067006E00750073005C0061007000700064006100740061005C0072006F0061006D0069006E0067005C006400610065006D006F006E00200074006F006F006C00730020006C006900740065005C007200780073007500700070006C0079002E007300790073000000
* Creates value "{28ADEDE1-A4D5-42D8-9B05-BF7C283C4059}=v2.0|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|App=C:\Windows\system32\svchost.exe|Name=svchost.exe|Edge=FALSE|" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
binary data=760032002E0030007C0041006300740069006F006E003D0041006C006C006F0077007C004100630074006900760065003D0054005200550045007C004400690072003D0049006E007C00500072006F0074006F0063006F006C003D0036007C00500072006F00660069006C0065003D0050007200690076006100740065007C00500072006F00660069006C0065003D005000750062006C00690063007C004100700070003D0043003A005C00570069006E0064006F00770073005C00730079007300740065006D00330032005C0073007600630068006F00730074002E006500780065007C004E0061006D0065003D0073007600630068006F00730074002E006500780065007C0045006400670065003D00460041004C00530045007C000000
* Creates value "{28ADEDE1-A4D5-42D8-9B05-BF7C283C4060}=v2.0|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Private|Profile=Public|App=C:\Windows\system32\svchost.exe|Name=svchost.exe|Edge=FALSE|" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
binary data=760032002E0030007C0041006300740069006F006E003D0041006C006C006F0077007C004100630074006900760065003D0054005200550045007C004400690072003D004F00750074007C00500072006F0074006F0063006F006C003D0036007C00500072006F00660069006C0065003D0050007200690076006100740065007C00500072006F00660069006C0065003D005000750062006C00690063007C004100700070003D0043003A005C00570069006E0064006F00770073005C00730079007300740065006D00330032005C0073007600630068006F00730074002E006500780065007C004E0061006D0065003D0073007600630068006F00730074002E006500780065007C0045006400670065003D00460041004C00530045007C000000
* Creates value "Type=00000110" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPService
* Creates value "Start=00000002" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPService
* Creates value "ErrorControl=00000001" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPService
* Creates value "ImagePath=C:\Windows\system32\svchost.exe -k netsvc" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPService
binary data=43003A005C00570069006E0064006F00770073005C00730079007300740065006D00330032005C0073007600630068006F00730074002E0065007800650020002D006B0020006E00650074007300760063000000
* Creates value "ObjectName=LocalSystem" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPService
binary data=4C006F00630061006C00530079007300740065006D000000
* Creates value "0=Root\LEGACY_SHTST\0000" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPService\Enum
binary data=52006F006F0074005C004C00450047004100430059005F00530048005400530054005C0030003000300030000000
* Creates value "Count=00000001" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPService\Enum
* Creates value "NextInstance=00000001" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPService\Enum
* Creates value "ServiceDll=C:\Users\cognus\AppData\Roaming\DAEMON Tools Lite\sp.DLL" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPService\Parameters
binary data=43003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004400410045004D004F004E00200054006F006F006C00730020004C006900740065005C00730070002E0044004C004C000000
* Creates value "GUID=cc1eb3c1-a68e-4d8e-8c67-1047f75dd4af" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPService\Parameters
binary data=630063003100650062003300630031002D0061003600380065002D0034006400380065002D0038006300360037002D003100300034003700660037003500640064003400610066000000
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b474db1c-161b-11e6-932e-806e6f6e6963}
old value empty
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000
* Creates value "sc.exe=4100200074006F006F006C00200074006F002000610069006400200069006E00200064006500760065006C006F00700069006E006700200073006500720076006900630065007300200066006F0072002000570069006E0064006F00770073004E0054000000" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32
* Creates value "cmd.exe=Windows Command Processor" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\system32
binary data=570069006E0064006F0077007300200043006F006D006D0061006E0064002000500072006F0063006500730073006F0072000000

Changes to filesystem:

* Creates file C:\Users\cognus\AppData\Roaming\DAEMON Tools Lite\fs.cfg
* Creates file C:\Users\cognus\AppData\Roaming\DAEMON Tools Lite\rxsupply.sys
* Creates file C:\Users\cognus\AppData\Roaming\DAEMON Tools Lite\sp.DLL
* Modifies file (empty) C:\Users\cognus\Desktop\Autorun_samples\05d6ad805ddb5345b01f2cea2f3c9f5ddbd3310bd8494ddc0cd2d0d7f4a7e6d2.exe

Network services:

* Queries DNS "wpad.localdomain".
* Queries DNS "download.windowsupdate.com".
* Queries DNS "ds.download.windowsupdate.com".
* Queries DNS "www.update.microsoft.com".
* Queries DNS "clients2.google.com".
* Queries DNS "redirector.gvt1.com".
* Queries DNS "r4---sn-ci5gup-cvhz.gvt1.com".
* Queries DNS "rs-socks.com".
* Queries DNS "vip-socks.org".
* Queries DNS "servicevip.org".
* Queries DNS "rs-service.org".
* Queries DNS "vip-rs.com".
* C:\Windows\System32\svchost.exe Connects to "85.13.152.13" on port 80 (TCP - HTTP).
* C:\Windows\System32\svchost.exe Connects to "54.72.9.51" on port 80 (TCP - HTTP).
* Downloads file from "rs-service.org/jihugbyt/zxcvtbyn/ip.php".
* Downloads file from "vip-rs.com/jihugbyt/zxcvtbyn/ip.php".

Process/window/string information:

* Gets volume information.
* Checks for debuggers.
* Creates process "C:\Windows\System32\sc.exe, "C:\Windows\System32\sc.exe" create SPService binPath= "C:\Windows\system32\svchost.exe", C:\Users\cognus\Desktop\Autorun_samples".
* Injects code into process "C:\Windows\System32\sc.exe".
* Creates a service named "SPService".
* Creates process "C:\Windows\System32\sc.exe, "C:\Windows\System32\sc.exe" start SPService, C:\Users\cognus\Desktop\Autorun_samples".
* Creates process "null, "C:\Users\cognus\Desktop\Autorun_samples\a.cmd" , C:\Users\cognus\Desktop\Autorun_samples".
* Injects code into process "C:\Windows\System32\cmd.exe".
* Opens a service named "SPService".
* Starts a service.
* Creates a service named "FsFilter".
* Loads a system driver named "fsfilter".
* Sleeps 9 seconds.

Additional Information:

How To Remove 83f2235a378929d194ecf7f67f2e2e78

1.Download Computer Free Antivirus software.
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where 83f2235a378929d194ecf7f67f2e2e78.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top