Home » Virus List
Trojan.Agent
Risk Level 1
 
File Size : 204816 KB
File Type : Portable Executable 32
File Name

apple.exe

MD5

6ce20cff2ee18a8e93f1f86f2511ba50

SHA1

e28cb7b473510fc01524731d10c1007165b6e34b

SHA256

061da6db041c2627abd3efd23f4f8252af56c1cf9bf783bfbc

General information:

* File name: C:\Users\cognus\Desktop\Analyzed Viruses\8 June 2016\New folder\Sample\6ce20cff2ee18a8e93f1f86f2511ba50.exe

Changes to registry :

* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\6ce20cff2ee18a8e93f1f86f2511ba50_RASAPI32
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\6ce20cff2ee18a8e93f1f86f2511ba50_RASAPI32
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\6ce20cff2ee18a8e93f1f86f2511ba50_RASAPI32
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\6ce20cff2ee18a8e93f1f86f2511ba50_RASAPI32
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\6ce20cff2ee18a8e93f1f86f2511ba50_RASMANCS
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\6ce20cff2ee18a8e93f1f86f2511ba50_RASMANCS
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\6ce20cff2ee18a8e93f1f86f2511ba50_RASMANCS
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\6ce20cff2ee18a8e93f1f86f2511ba50_RASMANCS
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Creates value "PendingFileRenameOperations=\??\C:\Users\cognus\Desktop\Analyzed Viruses\8 June 2016\New folder\Sample\ver.exe" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
binary data=5C003F003F005C0043003A005C00550073006500720073005C0063006F0067006E00750073005C004400650073006B0074006F0070005C0041006E0061006C0079007A0065006400200056006900720075007300650073005C00380020004A0075006E006500200032003000310036005C004E0065007700200066006F006C006400650072005C00530061006D0070006C0065005C007600650072002E00650078006500000000000000
* Creates value "Version=00000008" in key HKEY_CURRENT_USER\software\Microsoft\IME
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d04f3b-1c7e-11e6-979c-806e6f6e6963}
old value empty
* Modifies value "SavedLegacySettings=4600000024000000090000000000000000000000000000000400000000000000909F87AE2BBED101000000000000000000000000020000001700000000000000FE800000000000001466833CA0278AEB0B00000020CFAA0FB8CDAA0FB8CDAA0F18CEAA0F18CEAA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0F10CDAA0F10CDAA0F10D9AA0F10D9AA0F28D3AA0F28D3AA0FB8CDAA0FB8CDAA0F98CFAA0F98CFAA0F90CEAA0F90CEAA0F08CFAA0F08CFAA0FB8CDAA0FB8CDAA0F02000000C0A8BA80000000000000000000B3AA0F00B3AA0F40CDAA0F40CDAA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0FA0B8AA0FA0B8AA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0F78CEAA0F78CEAA0FB8CDAA0FB8CDAA0F00CEAA0F00CEAA0F60CEAA0F60CEAA0FB8CDAA0FB8CDAA0F48CEAA0F48CEAA0FB8CDAA0FB8CDAA0F" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=4600000023000000090000000000000000000000000000000400000000000000909F87AE2BBED101000000000000000000000000020000001700000000000000FE800000000000001466833CA0278AEB0B00000020CFAA0FB8CDAA0FB8CDAA0F18CEAA0F18CEAA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0F10CDAA0F10CDAA0F10D9AA0F10D9AA0F28D3AA0F28D3AA0FB8CDAA0FB8CDAA0F98CFAA0F98CFAA0F90CEAA0F90CEAA0F08CFAA0F08CFAA0FB8CDAA0FB8CDAA0F02000000C0A8BA80000000000000000000B3AA0F00B3AA0F40CDAA0F40CDAA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0FA0B8AA0FA0B8AA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0F78CEAA0F78CEAA0FB8CDAA0FB8CDAA0F00CEAA0F00CEAA0F60CEAA0F60CEAA0FB8CDAA0FB8CDAA0F48CEAA0F48CEAA0FB8CDAA0FB8CDAA0F"
* Creates value "stubpath=C:\Users\cognus\AppData\Local\Temp\apple.exe" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
binary data=43003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C006100700070006C0065002E006500780065000000
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000
* Creates value "cmd.exe=Windows Command Processor" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\system32
binary data=570069006E0064006F0077007300200043006F006D006D0061006E0064002000500072006F0063006500730073006F0072000000

Changes to filesystem:

* Modifies file (hidden) C:\Users\cognus\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
* Creates file C:\Users\cognus\AppData\Local\Temp\apple.exe
* Creates file C:\Users\cognus\AppData\Roaming\Microsoft\Windows\Cookies\cognus@163[1].txt
* Modifies file (hidden) C:\Users\cognus\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
* Modifies file (empty) C:\Users\cognus\Desktop\Analyzed Viruses\8 June 2016\New folder\Sample\6ce20cff2ee18a8e93f1f86f2511ba50.exe

Network services:

* Queries DNS "exeinfo1.org".
* Queries DNS "blog.chosun.com".
* Queries DNS "blog.daum.net".
* Queries DNS "opaoxf112.blog.163.com".
* Queries DNS "www.ezyeconomy.com".
* C:\Users\cognus\Desktop\Analyzed Viruses\8 June 2016\New folder\Sample\6ce20cff2ee18a8e93f1f86f2511ba50.exe Connects to "218.145.28.120" on port 80 (TCP - HTTP).
* C:\Users\cognus\Desktop\Analyzed Viruses\8 June 2016\New folder\Sample\6ce20cff2ee18a8e93f1f86f2511ba50.exe Connects to "180.70.134.40" on port 80 (TCP - HTTP).
* C:\Users\cognus\Desktop\Analyzed Viruses\8 June 2016\New folder\Sample\6ce20cff2ee18a8e93f1f86f2511ba50.exe Connects to "115.238.126.133" on port 80 (TCP - HTTP).
* C:\Users\cognus\Desktop\Analyzed Viruses\8 June 2016\New folder\Sample\6ce20cff2ee18a8e93f1f86f2511ba50.exe Connects to "114.200.196.44" on port 80 (TCP - HTTP).
* Downloads file from "blog.chosun.com/rss/freebirdf1".
* Downloads file from "blog.daum.net/xml/rss/opaoxf2".
* Downloads file from "opaoxf112.blog.163.com/rss/".
* Downloads file from "www.ezyeconomy.com/xml/20110714/o5.gif?".

Process/window/string information:

* Gets user name information.
* Gets volume information.
* Checks for debuggers.
* Opens a service named "Sens".
* Opens a service named "rasman".
* Creates a mutex "IESQMMUTEX_0_208".
* Creates a mutex "Local\!IETld!Mutex".
* Creates process "null, C:\Users\cognus\AppData\Local\Temp\1.bat, null".
* Injects code into process "C:\Windows\System32\cmd.exe".

Additional Information:

How To Remove apple.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where apple.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top