Home » Virus List
Trojan.Agent
Risk Level 1
 
File Size : 846848 KB
File Type : Portable Executable 32
File Name

ALFA.exe

MD5

a931d829c753a36b4c33b633bf70cd96

SHA1

1c0144dc4cbe7a0b651d41579f23bc412f025d69

SHA256

9878b4367b40c3045d0d377fb4a4b8f812883a294a04bdd58c

General information:

* File name: C:\Users\cognus\Desktop\Analyzed Viruses\3 June 2016\New folder\Samples\a931d829c753a36b4c33b633bf70cd96.exe

Changes to registry :

* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\a931d829c753a36b4c33b633bf70cd96_RASAPI32
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\a931d829c753a36b4c33b633bf70cd96_RASAPI32
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\a931d829c753a36b4c33b633bf70cd96_RASAPI32
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\a931d829c753a36b4c33b633bf70cd96_RASAPI32
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\a931d829c753a36b4c33b633bf70cd96_RASMANCS
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\a931d829c753a36b4c33b633bf70cd96_RASMANCS
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\a931d829c753a36b4c33b633bf70cd96_RASMANCS
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\a931d829c753a36b4c33b633bf70cd96_RASMANCS
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d04f3b-1c7e-11e6-979c-806e6f6e6963}
old value empty
* Modifies value "SavedLegacySettings=460000001F00000009000000000000000000000000000000040000000000000080312BAE91D3D101000000000000000000000000020000001700000000000000FE800000000000001466833CA0278AEB0B0000001000000000000000000000000000000000200000002000000010000001000000EA0300000906020008000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFA01A0FE78BABCF118CA300805F48A19202000000C0A8BD8400000000000000002073740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000003AEDF0000780E720098466B000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=460000001E00000009000000000000000000000000000000040000000000000080312BAE91D3D101000000000000000000000000020000001700000000000000FE800000000000001466833CA0278AEB0B0000001000000000000000000000000000000000200000002000000010000001000000EA0300000906020008000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFA01A0FE78BABCF118CA300805F48A19202000000C0A8BD8400000000000000002073740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000003AEDF0000780E720098466B000000000000000000"
* Modifies value "DefaultConnectionSettings=4600000007000000090000000000000000000000000000000400000000000000307EF20E88BDD101000000000000000000000000020000001700000000000000FE800000000000001466833CA0278AEB0B000000000000001700000000000000FE800000000000001466833CA0278AEB0B000000000000001C00000000000000000000000000000000000000000000000000000000000000170000000000000000000000000000000000FFFFC0A8BA80000000000000000002000000C0A8BA800000000000000000000000000000000000000000000000000C00000C5ED9000048FE7800985C780000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300000355D9000048FD760050EF76000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "DefaultConnectionSettings=460000000600000009000000000000000000000000000000040000000000000080312BAE91D3D101000000000000000000000000020000001700000000000000FE800000000000001466833CA0278AEB0B0000001000000000000000000000000000000000200000002000000010000001000000EA0300000906020008000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFA01A0FE78BABCF118CA300805F48A19202000000C0A8BD8400000000000000002073740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000003AEDF0000780E720098466B000000000000000000"
* Modifies value "WpadLastNetwork={892C661B-2107-4594-A075-F398544CBD3B}" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
binary data=7B00380039003200430036003600310042002D0032003100300037002D0034003500390034002D0041003000370035002D004600330039003800350034003400430042004400330042007D000000
old value "WpadLastNetwork={28585BB3-1164-43A9-9E9F-D296C7F9627A}"
binary data=7B00320038003500380035004200420033002D0031003100360034002D0034003300410039002D0039004500390046002D004400320039003600430037004600390036003200370041007D000000
* Creates value "WpadDecisionReason=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fc-f3-f0
* Creates value "WpadDecisionTime=D075F60E88BDD101" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fc-f3-f0
* Creates value "WpadDecision=00000003" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fc-f3-f0
* Creates value "WpadDecisionReason=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{892C661B-2107-4594-A075-F398544CBD3B}
* Creates value "WpadDecisionTime=D075F60E88BDD101" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{892C661B-2107-4594-A075-F398544CBD3B}
* Creates value "WpadDecision=00000003" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{892C661B-2107-4594-A075-F398544CBD3B}
* Creates value "WpadNetworkName=Network 4" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{892C661B-2107-4594-A075-F398544CBD3B}
binary data=4E006500740077006F0072006B002000200034000000
* Creates Registry key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{892C661B-2107-4594-A075-F398544CBD3B}\00-50-56-fc-f3-f0
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000
* Creates value "a931d829c753a36b4c33b633bf70cd96.exe=Magnoos pit" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\cognus\Desktop\Analyzed Viruses\3 June 2016\New folder\Samples
binary data=4D00610067006E006F006F00730020007000690074000000

Changes to filesystem:

* Modifies file (hidden) C:\Users\cognus\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

Network services:

* Looks for an Internet connection.
* Queries DNS "wpad.localdomain".
* C:\Users\cognus\Desktop\Analyzed Viruses\3 June 2016\New folder\Samples\a931d829c753a36b4c33b633bf70cd96.exe Connects to "184.106.196.129" on port 80 (TCP - HTTP).
* Downloads file from "google.com/".
* Downloads file from "184.106.196.129/assets/assets.zip".

Process/window/string information:

* Gets user name information.
* Gets input locale identifiers.
* Checks for debuggers.
* Opens a service named "rasman".
* Opens a service named "Sens".
* Injects code into process "C:\Windows\System32\rundll32.exe".
* Creates a mutex "IESQMMUTEX_0_208".
* Creates process "null, C:\Users\cognus\AppData\Roaming\securitym.exe, C:\Users\cognus\Desktop\Analyzed Viruses\3 June 2016\New folder\Samples".
* Sleeps 91 seconds.

Additional Information:

How To Remove ALFA.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where ALFA.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top