Home » Virus List
Trojan.Agent
Risk Level 1
 
File Size : 17920 KB
File Type : Portable Executable 32
File Name

E-Statement.exe

MD5

20e7520948ee772e192127374569b219

SHA1

83bf32dea784f8157e8cb9435a522c3aea359cb4

SHA256

fa7944d8344463b4109c4b562f3307382a5549365a90b9bb39

General information:

* File name: C:\Users\cognus\Desktop\cutwail_Samples\fa7944d8344463b4109c4b562f3307382a5549365a90b9bb39bc4d9e12eb53ba.exe

Changes to registry :

* Modifies value "SavedLegacySettings=4600000018000000090000000000000000000000000000000400000000000000A0C3328AC1A9D101000000000000000000000000020000001700000000000000FE80000000000000C87CCB522245EA720B0000001C00000000000000000000000000000000200000002000000010000001000000ED0300000906020008000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFC0B0EAF9D426D011BBBF00AA006C34E402000000C0A887820000000000000000606E2100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=4600000017000000090000000000000000000000000000000400000000000000A0C3328AC1A9D101000000000000000000000000020000001700000000000000FE80000000000000C87CCB522245EA720B0000001C00000000000000000000000000000000200000002000000010000001000000ED0300000906020008000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFC0B0EAF9D426D011BBBF00AA006C34E402000000C0A887820000000000000000606E2100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000
* Creates value "fa7944d8344463b4109c4b562f3307382a5549365a90b9bb39bc4d9e12eb53ba.exe=fa7944d8344463b4109c4b562f3307382a5549365a90b9bb39bc4d9e12eb53ba.exe" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\cognus\Desktop\cutwail_Samples
binary data=66006100370039003400340064003800330034003400340036003300620034003100300039006300340062003500360032006600330033003000370033003800320061003500350034003900330036003500610039003000620039006200620033003900620063003400640039006500310032006500620035003300620061002E006500780065000000
* Creates value "google_updater.exe=google_updater.exe" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Sandbox\cognus\DefaultBox\user\current\AppData\Local\Temp
binary data=67006F006F0067006C0065005F0075007000640061007400650072002E006500780065000000

Changes to filesystem:

* Creates file (empty) C:\Users\cognus\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0Q6IVPI2\11UKp[1].htm
* Creates file (empty) C:\Users\cognus\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0Q6IVPI2\11UKp[2].htm
* Creates file C:\Users\cognus\AppData\Local\Temp\google_updater.exe
* Modifies file (empty) C:\Users\cognus\Desktop\cutwail_Samples\fa7944d8344463b4109c4b562f3307382a5549365a90b9bb39bc4d9e12eb53ba.exe

Network services:

* Queries DNS "ultimateconditioningleeds.co.uk".
* Queries DNS "eganchurchsupply.com".
* Queries DNS "www.google.com".
* Queries DNS "www.google.co.in".
* Queries DNS "ssl.gstatic.com".
* Queries DNS "www.gstatic.com".
* Queries DNS "apis.google.com".
* Queries DNS "plus.l.google.com".
* Queries DNS "id.google.co.in".
* Queries DNS "www.googleadservices.com".
* Queries DNS "pagead.l.doubleclick.net".
* Queries DNS "id.l.google.com".
* Queries DNS "www.mrftyres.com".
* Queries DNS "www.cyberoam.com".
* Queries DNS "e6203.b.akamaiedge.net".
* Queries DNS "encrypted-tbn2.gstatic.com".
* Queries DNS "encrypted-tbn0.gstatic.com".
* Queries DNS "safebrowsing.google.com".
* Queries DNS "encrypted-tbn1.gstatic.com".
* Queries DNS "encrypted-tbn3.gstatic.com".
* Queries DNS "sb.l.google.com".
* Queries DNS "teredo.ipv6.microsoft.com".
* C:\Sandbox\cognus\DefaultBox\user\current\AppData\Local\Temp\google_updater.exe Connects to "87.117.220.217" on port 80 (TCP - HTTP).
* C:\Sandbox\cognus\DefaultBox\user\current\AppData\Local\Temp\google_updater.exe Connects to "162.144.254.155" on port 80 (TCP - HTTP).
* Downloads file from "ultimateconditioningleeds.co.uk/script/11UKp.dat".
* Downloads file from "eganchurchsupply.com/images/new/11UKp.dat".

Process/window/string information:

* Gets user name information.
* Checks for debuggers.
* Creates process "C:\Users\cognus\AppData\Local\Temp\google_updater.exe, "C:\Users\cognus\AppData\Local\Temp\google_updater.exe" , C:\Users\cognus\AppData\Local\Temp\".
* Injects code into process "C:\Sandbox\cognus\DefaultBox\user\current\AppData\Local\Temp\google_updater.exe".
* Enables privilege SeAuditPrivilege.
* Opens a service named "rasman".
* Opens a service named "Sens".
* Enables process privileges.

Additional Information:

How To Remove E-Statement.exe

1.Download Antivirus Software
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where E-Statement.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top