Home » Virus List
Trojan.Agent
Risk Level 1
 
File Size : 5460474 KB
File Type : Portable Executable file
File Name

emule.exe

MD5

d48b29ede1d47571ca910ad193d75a81

SHA1

a576a550c93d42cfb0ae469b6c7afe732892c8b4

SHA256

468de4c55036d0a6b696e239384b145520e2210805fcc685a8

General information:

* File name: C:\Users\vmware\Desktop\malware\D48B29EDE1D47571CA910AD193D75A81.exe

Changes to registry :

* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Modifies value "ExceptionRecord=050000C0000000000000000046896A000200000000000000BCFA8A023F0001000000000000000000000000000000000000000000000000007F02000000000000FFFF0000000000000000000000000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\Debug
old value "ExceptionRecord=050000C000000000000000002F12F1000200000000000000000000003F0001000000000000000000000000000000000000000000000000007F02000000000000FFFF0000E991F2000000000048734000"
* Creates value "StoreLocation=C:\Users\vmware\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_D48B29EDE1D47571_ddc65a83c481f80626bed6673ec2f93b5715b_cab_085785f6" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\Debug
binary data=43003A005C00550073006500720073005C0076006D0077006100720065005C0041007000700044006100740061005C004C006F00630061006C005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005700450052005C005200650070006F0072007400510075006500750065005C00410070007000430072006100730068005F0044003400380042003200390045004400450031004400340037003500370031005F0064006400630036003500610038003300630034003800310066003800300036003200360062006500640036003600370033006500630032006600390033006200350037003100350062005F006300610062005F00300038003500370038003500660036000000
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Modifies value "SavedLegacySettings=460000001A00000009000000000000000000000000000000040000000000000080E97B3196DED101000000000000000000000000020000001700000000000000FE80000000000000C5C2CCA5981C9C9D0B000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000008543E464000000801800000000000000000000000000000000000000000000000000000000000000000000000100000002000000C0A8EE8500000000000000000000000000000000000000000000000000000000000000008843E464000000802300000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=460000001900000009000000000000000000000000000000040000000000000080E97B3196DED101000000000000000000000000020000001700000000000000FE80000000000000C5C2CCA5981C9C9D0B000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000008543E464000000801800000000000000000000000000000000000000000000000000000000000000000000000100000002000000C0A8EE8500000000000000000000000000000000000000000000000000000000000000008843E464000000802300000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
* Creates value "StoreLocation=C:\Users\vmware\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_D48B29EDE1D47571_ddc65a83c481f80626bed6673ec2f93b5715b_cab_085785f6" in key HKEY_CURRENT_USER\software\Microsoft\Windows\Windows Error Reporting\Debug
binary data=43003A005C00550073006500720073005C0076006D0077006100720065005C0041007000700044006100740061005C004C006F00630061006C005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005700450052005C005200650070006F0072007400510075006500750065005C00410070007000430072006100730068005F0044003400380042003200390045004400450031004400340037003500370031005F0064006400630036003500610038003300630034003800310066003800300036003200360062006500640036003600370033006500630032006600390033006200350037003100350062005F006300610062005F00300038003500370038003500660036000000
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000

Changes to filesystem:

* Creates file C:\Users\vmware\AppData\Local\CrashDumps\D48B29EDE1D47571CA910AD193D75A81.exe.988.dmp
* Creates file C:\Users\vmware\AppData\Local\eMule AdunanzA\config\clients.met.bak
* Creates file (empty) C:\Users\vmware\AppData\Local\eMule AdunanzA\config\_tmp_adunanza.conf
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_D48B29EDE1D47571_ddc65a83c481f80626bed6673ec2f93b5715b_cab_085785f6\Report.wer
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_D48B29EDE1D47571_ddc65a83c481f80626bed6673ec2f93b5715b_cab_085785f6\WER6424.tmp.appcompat.txt
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_D48B29EDE1D47571_ddc65a83c481f80626bed6673ec2f93b5715b_cab_085785f6\WER655D.tmp.WERInternalMetadata.xml
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_D48B29EDE1D47571_ddc65a83c481f80626bed6673ec2f93b5715b_cab_085785f6\WER65EA.tmp.hdmp
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_D48B29EDE1D47571_ddc65a83c481f80626bed6673ec2f93b5715b_cab_085785f6\WER78A0.tmp.mdmp

Network services:

* Looks for an Internet connection.
* Queries DNS "www.85819.net".
* Queries DNS "update.adunanza.net".
* Downloads file from "ip-api.com/json".
* Downloads file from "khit.cn/soft/azbconfig.ini".
* Downloads file from "khit.cn/soft/kp1configuration.ini".
* Downloads file from "xmp.down.sandai.net/kankan/OnlineInstaller-SIjhaqws37.exe".
* Downloads file from "bos.nj.bpc.baidu.com/v1/baiduplayer/player/BaiduPlayer5SetupSilent_405.exe".

Process/window/string information:

* Gets user name information.
* Gets volume information.
* Checks for debuggers.
* Creates a mutex "Local\!IETld!Mutex".
* Creates a mutex "EMULE-{4EADC6FC-516F-4b7c-9066-97D893649570}:4662".
* Opens a service named "Sens".
* Opens a service named "rasman".
* Enables privilege SeAuditPrivilege.
* Creates a mutex "IESQMMUTEX_0_208".
* Creates process "C:\Windows\system32\WerFault.exe, C:\Windows\system32\WerFault.exe -u -p 988 -s 536, C:\Windows\system32".
* Injects code into process "C:\Windows\System32\WerFault.exe".
* Enumerates running processes.
* Creates a mutex "Local\WERReportingForProcess988".
* Enables privilege SeDebugPrivilege.
* Creates a mutex "Global\73c2bcd8-2258-11e6-b3fb-000c29f0d582".
* Enables privilege SeShutdownPrivilege.
* Creates process "null, C:\Program Files\svchost.exe, null".
* Enables process privileges.
* Contains string Detected Anti-Malware Analyzer routine: WinDbg detection ("dbghelp.dll")
* Contains string Traces of AutoStart registry key ("Software\Microsoft\Windows\CurrentVersion\Run")
* Sleeps 6960 seconds.

Additional Information:

How To Remove emule.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where emule.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top