Home » Virus List
Trojan.Agent
Risk Level 1
 
File Size : 123948 KB
File Type : Portable Executable 32
File Name

datav.exe

MD5

77514a610ad7c3ddf22d120cc6ff75f1

SHA1

6339f65c6fbcb5e029302379d42b30c8469fc83a

SHA256

2a988bccd177a2f9df3b9d3232230013da85666061677d5141

General information:

* File name: C:\Users\cognus\Desktop\Autorun\77514a610ad7c3ddf22d120cc6ff75f1\tmp\virii\77514a610ad7c3ddf22d120cc6ff75f1.exe

Changes to registry :

* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\77514a610ad7c3ddf22d120cc6ff75f1_RASAPI32
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\77514a610ad7c3ddf22d120cc6ff75f1_RASAPI32
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\77514a610ad7c3ddf22d120cc6ff75f1_RASAPI32
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\77514a610ad7c3ddf22d120cc6ff75f1_RASAPI32
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\77514a610ad7c3ddf22d120cc6ff75f1_RASMANCS
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\77514a610ad7c3ddf22d120cc6ff75f1_RASMANCS
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\77514a610ad7c3ddf22d120cc6ff75f1_RASMANCS
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\77514a610ad7c3ddf22d120cc6ff75f1_RASMANCS
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b474db1c-161b-11e6-932e-806e6f6e6963}
old value empty
* Modifies value "SavedLegacySettings=460000003E000000090000000000000000000000000000000400000000000000A0ED715343AFD101000000000000000000000000020000001700000000000000FE80000000000000C87CCB522245EA720B0000001C00000000000000000000000000000000200000002000000010000001000000ED0300000906020008000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFC0B0EAF9D426D011BBBF00AA006C34E402000000C0A8BD800000000000000000606E2100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=460000003D000000090000000000000000000000000000000400000000000000A0ED715343AFD101000000000000000000000000020000001700000000000000FE80000000000000C87CCB522245EA720B0000001C00000000000000000000000000000000200000002000000010000001000000ED0300000906020008000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFC0B0EAF9D426D011BBBF00AA006C34E402000000C0A8BD800000000000000000606E2100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
* Creates value "Registry Key=C:\Windows\Registry Key.exe" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
binary data=43003A005C00570069006E0064006F00770073005C005200650067006900730074007200790020004B00650079002E006500780065000000
* Creates value "WindowsU=C:\Users\cognus\AppData\Local\Temp\WindowsU.exe" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
binary data=43003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C00570069006E0064006F007700730055002E006500780065000000
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000

Changes to filesystem:

* Creates file (hidden) C:\autorun.inf
* Creates file (hidden) C:\black.scr
* Creates file C:\Windows\Registry Key.exe
* Modifies file (hidden) C:\Users\cognus\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

Network services:

* Queries DNS "wpad.localdomain".
* Queries DNS "dns.msftncsi.com".
* Queries DNS "directxex.com".
* Queries DNS "www.site.com".
* C:\Users\cognus\Desktop\Autorun\77514a610ad7c3ddf22d120cc6ff75f1\tmp\virii\77514a610ad7c3ddf22d120cc6ff75f1.exe Connects to "104.28.20.38" on port 80 (TCP - HTTP).
* C:\Users\cognus\Desktop\Autorun\77514a610ad7c3ddf22d120cc6ff75f1\tmp\virii\77514a610ad7c3ddf22d120cc6ff75f1.exe Connects to "204.74.99.100" on port 80 (TCP - HTTP).
* Downloads file from "directxex.com/uploads/1383263716.Emiem%20Album.exe".
* Downloads file from "www.site.com/infect.php".

Process/window/string information:

* Gets input locale identifiers.
* Gets computer name.
* Checks for debuggers.
* Creates an event named "Global\CorDBIPCSetupSyncEvent_1828".
* Creates a mutex "Global\.net clr networking".
* Enables privilege SeAuditPrivilege.
* Creates a mutex "Local\!IETld!Mutex".
* Creates a mutex "IESQMMUTEX_0_208".
* Enables privilege SeDebugPrivilege.
* Creates a mutex "Local\!PrivacIE!SharedMemory!Mutex".
* Enables process privileges.
* Contains string Traces of AutoStart registry key ("Software\Microsoft\Windows\CurrentVersion\Run")
* Contains string Detected Anti-Malware Analyzer routine: Norman Sandbox detection ("CurrentUser")
* Sleeps 150 seconds.

Additional Information:

How To Remove datav.exe

1.Download Antivirus Software for PC
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where datav.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top