Home » Virus List
Trojan.Agent
Risk Level 1
 
File Size : 49152 KB
File Type : Portable Executable 32
File Name

dulebas.exe

MD5

4d6c045c4cca49f8e556a7fb96e28635

SHA1

e570da6cf5bb6a5978e89b65485d82ec3a8097ed

SHA256

23f12c28515e7b9d8b2dd60ef660290ae32434bb50d56a8c82

General information:

* File name: C:\Users\cognus\Desktop\Waski.Upatre\1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7.exe

Changes to registry :

* Empties value "bLastExitNormal" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\ExitSection
old value "bLastExitNormal=00000001"
* Creates value "xID=11F16394934FD4971602149789AE99A6" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2
* Creates value "iTime=574D5DFE" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2
* Creates value "bAVDocViewTabsShowing=00000001" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef
* Creates value "bAVDocWindowStateToolBarsShowing=00000001" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef
* Creates value "bShowingPageGaps=00000001" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef
* Creates value "bbringToFront=00000001" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef
* Creates value "ioverViewMode=00000001" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef
* Creates value "xpageViewBead=0000000000000000" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef
* Creates value "ipageViewLayoutMode=00000002" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef
* Creates value "ipageViewMaxVisPageNum=00000001" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef
* Creates value "ipageViewMinVisPageNum=00000001" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef
* Creates value "ipageViewPageNum=00000001" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef
* Creates value "ipageViewThreadIndex=FFFFFFFF" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef
* Creates value "ipageViewX=FFFFFFFC" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef
* Creates value "ipageViewY=00000570" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef
* Creates value "dpageViewZoom=1.685623" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef
binary data=31002E003600380035003600320033000000
* Creates value "ipageViewZoomType=00000002" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef
* Creates value "xwindowFrame=000000002A000000400600005C030000" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef
* Creates value "bwindowMaximized=00000001" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef
* Creates Registry key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef\cBottomView
* Creates Registry key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef\cLeftView
* Creates Registry key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef\cocgStates
* Creates value "bShowingPageGaps=00000001" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef\cTopLeftView
* Creates value "xpageViewBead=0000000000000000" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef\cTopLeftView
* Creates value "ipageViewLayoutMode=00000002" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef\cTopLeftView
* Creates value "ipageViewPageNum=00000001" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef\cTopLeftView
* Creates value "ipageViewThreadIndex=FFFFFFFF" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef\cTopLeftView
* Creates value "ipageViewX=FFFFFFFC" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef\cTopLeftView
* Creates value "ipageViewY=00000570" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef\cTopLeftView
* Creates value "dpageViewZoom=1.685623" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef\cTopLeftView
binary data=31002E003600380035003600320033000000
* Creates value "ipageViewZoomType=00000002" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef\cTopLeftView
* Creates Registry key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\RememberedViews\cNoCategoryFiles\c2\cViewDef\cTopLeftView\cocgStates
* Modifies value "iRemindCount=FFFFFFFE" in key HKEY_CURRENT_USER\software\Adobe\Acrobat Reader\11.0\UsageMeasurement
old value "iRemindCount=FFFFFFFD"
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d04f3b-1c7e-11e6-979c-806e6f6e6963}
old value empty
* Modifies value "SavedLegacySettings=460000001E00000009000000000000000000000000000000040000000000000080312BAE91D3D101000000000000000000000000020000001700000000000000FE800000000000001466833CA0278AEB0B0000001000000000000000000000000000000000200000002000000010000001000000EA0300000906020008000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFA01A0FE78BABCF118CA300805F48A19202000000C0A8BD8400000000000000002073740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000003AEDF0000780E720098466B000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=460000001C00000009000000000000000000000000000000040000000000000080312BAE91D3D101000000000000000000000000020000001700000000000000FE800000000000001466833CA0278AEB0B0000001000000000000000000000000000000000200000002000000010000001000000EA0300000906020008000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFA01A0FE78BABCF118CA300805F48A19202000000C0A8BD8400000000000000002073740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000003AEDF0000780E720098466B000000000000000000"
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000

Changes to filesystem:

* Modifies file C:\Users\cognus\AppData\Local\Adobe\Acrobat\11.0\UserCache.bin
* Modifies file (hidden) C:\Users\cognus\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
* Creates file C:\Users\cognus\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YDQ8VZVV\questd[1].pdf
* Creates file C:\Users\cognus\AppData\Local\Temp\REGmZe27.exe
* Creates file C:\Users\cognus\AppData\Local\Temp\utilview.exe
* Creates file C:\Users\cognus\AppData\Local\Temp\uttE047.tmp
* Creates file C:\Users\cognus\AppData\Local\Temp\viagra.pdf
* Modifies file C:\Users\cognus\AppData\LocalLow\Adobe\Acrobat\11.0\ReaderMessages
* Modifies file (empty) C:\Users\cognus\Desktop\Waski.Upatre\1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7.exe

Network services:

* Looks for an Internet connection.
* Queries DNS "checkip.dyndns.org".
* Queries DNS "penangstreetfood.net".
* Queries DNS "acroipm.adobe.com".
* Looks up the external IP address.
* C:\Sandbox\cognus\DefaultBox\user\current\AppData\Local\Temp\utilview.exe Connects to "91.198.22.70" on port 80 (TCP - HTTP).
* C:\Sandbox\cognus\DefaultBox\user\current\AppData\Local\Temp\utilview.exe Connects to "103.27.72.106" on port 80 (TCP - HTTP).
* C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe Connects to "23.211.135.10" on port 80 (TCP - HTTP).
* Downloads file from "checkip.dyndns.org/".
* Downloads file from "hosthuntsville.com/wp-includes/css/book_6.pdf".
* Downloads file from "hspherceg-bosne.org/cli/book_6.pdf".
* Downloads file from "penangstreetfood.net/wp-content/uploads/questd.pdf".
* Downloads file from "acroipm.adobe.com/assets/212.zip".
* Downloads file from "acroipm.adobe.com/assets/215.zip".
* Downloads file from "acroipm.adobe.com/assets/214.zip".
* Downloads file from "acroipm.adobe.com/assets/211.zip".

Process/window/string information:

* Keylogger functionality.
* Gets user name information.
* Gets input locale identifiers.
* Gets volume information.
* Gets computer name.
* Checks for debuggers.
* Creates process "null, C:\Users\cognus\AppData\Local\Temp\utilview.exe, C:\Users\cognus\AppData\Local\Temp\".
* Injects code into process "C:\Sandbox\cognus\DefaultBox\user\current\AppData\Local\Temp\utilview.exe".
* Opens a service named "rasman".
* Opens a service named "Sens".
* Creates a mutex "IESQMMUTEX_0_208".
* Creates a mutex "Local\!IETld!Mutex".
* Creates process "C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe, "C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe" "C:\Users\cognus\AppData\Local\Temp\viagra.pdf", C:\Users\cognus\AppData\Local\Temp".
* Injects code into process "C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe".
* Enables privilege SeDebugPrivilege.
* Enumerates running processes.
* Creates process "C:\Users\cognus\AppData\Local\Temp\REGmZe27.exe, null, null".
* Injects code into process "C:\Sandbox\cognus\DefaultBox\user\current\AppData\Local\Temp\REGmZe27.exe".
* Creates a mutex "Local\Acrobat Instance Mutex".
* Enables process privileges.
* Sleeps 125 seconds.

Additional Information:

How To Remove dulebas.exe

1.Download free Anti virus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where dulebas.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top