Home » Virus List
Trojan.Agent
Risk Level 1
 
File Size : 14336 KB
File Type : Portable Executable 32
File Name

AdobeAirUpdater.exe

MD5

aa330b0566796b5d84123867c87ed0b6

SHA1

aba48f387392ae3037bb0cb26d715fadd85856f2

SHA256

75ae1dc0a1e54dbd224aef94bc88b2c9391a843ef3cd4a339a

General information:

* File name: C:\Users\cognus\Desktop\Analysis\Trojan.Downloader.MSIL\Sample\aa330b0566796b5d84123867c87ed0b6.exe

Changes to registry :

* Creates value "Torrent=C:\Users\cognus\Desktop\Analysis\Trojan.Downloader.MSIL\Sample\aa330b0566796b5d84123867c87ed0b6.exe" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
binary data=43003A005C00550073006500720073005C0063006F0067006E00750073005C004400650073006B0074006F0070005C0041006E0061006C0079007300690073005C00540072006F006A0061006E002E0044006F0077006E006C006F0061006400650072002E004D00530049004C005C00530061006D0070006C0065005C00610061003300330030006200300035003600360037003900360062003500640038003400310032003300380036003700630038003700650064003000620036002E006500780065000000
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "LangID=0904" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000

Changes to filesystem:

No changes

Network services:

* Queries DNS "www.google.co.in".
* Queries DNS "www.virustotal.com".
* Queries DNS "virustotalcloud.appspot.com".
* Queries DNS "ajax.googleapis.com".
* Queries DNS "ssl.google-analytics.com".
* Queries DNS "clients1.google.com".
* Queries DNS "stats.g.doubleclick.net".
* Queries DNS "chart.googleapis.com".
* Queries DNS "teredo.ipv6.microsoft.com".
* Queries DNS "www.gstatic.com".
* Queries DNS "wpad.localdomain".
* Queries DNS "clients2.google.com".
* Queries DNS "dns.msftncsi.com".
* Queries DNS "clients4.google.com".
* Queries DNS "exonapps.nl".
* Queries DNS "safebrowsing.google.com".
* Queries DNS "safebrowsing-cache.google.com".
* C:\Users\cognus\Desktop\Analysis\Trojan.Downloader.MSIL\Sample\aa330b0566796b5d84123867c87ed0b6.exe Connects to "104.25.42.33" on port 80 (TCP - HTTP).
* Downloads file from "go.microsoft.com/fwlink/?LinkId=57426&Ext=pe".
* Downloads file from "shell.windows.com/fileassoc/fileassoc.asp?Ext=pe".
* Downloads file from "shell.windows.com/0409/fileassoc.css".
* Downloads file from "shell.windows.com/Win_FileAssoc_Header.jpg".
* Downloads file from "shell.windows.com/HeaderSlice.jpg".
* Downloads file from "shell.windows.com/favicon.ico".
* Downloads file from "yahoo.com/setting.doc".
* Downloads file from "www.yahoo.com/setting.doc".
* Downloads file from "exonapps.nl/v2/listener.php?pcnaam=WIN-KGL9TO64INN&uni=8e717043b93c5fb6b76d9c2d1695414c&winos=Windows%207&cpu=Intel(R)%20Core(TM)%20i3-4170T%20CPU%20@%203.20GHz&gpu=VMware%20SVGA%203D".

Process/window/string information:

* Gets computer name.
* Checks for debuggers.
* Creates an event named "Global\CorDBIPCSetupSyncEvent_14204".
* Creates a mutex "Global\.net clr networking".
* Contains string Traces of AutoStart registry key ("Software\Microsoft\Windows\CurrentVersion\Run")
* Contains string Detected Anti-Malware Analyzer routine: Norman Sandbox detection ("CurrentUser")
* Sleeps 231 seconds.

Additional Information:

How To Remove AdobeAirUpdater.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where AdobeAirUpdater.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top