Home » Virus List
Worm.Generic
Risk Level 1
 
File Size : 14336 KB
File Type : Portable Executable 32
File Name

FAX_93-238738192_19.exe

MD5

ca2628b955cac2c8b6bd9f8c4c504fa4

SHA1

d5d8dbfd78f888570a61a07a936b1bac3e4735ef

SHA256

f4a592dbc0f65730ec6dbdbb2b1398cfe5a191584dcdc1ee7a

General information:

* File name: C:\Users\cognus\Desktop\cutwail_Samples\f4a592dbc0f65730ec6dbdbb2b1398cfe5a191584dcdc1ee7a960e9b881f32de.exe

Changes to registry :

* Modifies value "SavedLegacySettings=4600000018000000090000000000000000000000000000000400000000000000A0C3328AC1A9D101000000000000000000000000020000001700000000000000FE80000000000000C87CCB522245EA720B0000001C00000000000000000000000000000000200000002000000010000001000000ED0300000906020008000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFC0B0EAF9D426D011BBBF00AA006C34E402000000C0A887820000000000000000606E2100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=4600000017000000090000000000000000000000000000000400000000000000A0C3328AC1A9D101000000000000000000000000020000001700000000000000FE80000000000000C87CCB522245EA720B0000001C00000000000000000000000000000000200000002000000010000001000000ED0300000906020008000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFC0B0EAF9D426D011BBBF00AA006C34E402000000C0A887820000000000000000606E2100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "p2pcollab.dll,-8042=Peer to Peer Trust" in key HKEY_CURRENT_USER\software\classes\Local Settings\MuiCache\a\52C64B7E\@%SystemRoot%\system32
binary data=5000650065007200200074006F00200050006500650072002000540072007500730074000000
* Creates value "qagentrt.dll,-10=System Health Authentication" in key HKEY_CURRENT_USER\software\classes\Local Settings\MuiCache\a\52C64B7E\@%SystemRoot%\system32
binary data=530079007300740065006D0020004800650061006C00740068002000410075007400680065006E007400690063006100740069006F006E000000
* Creates value "dnsapi.dll,-103=Domain Name System (DNS) Server Trust" in key HKEY_CURRENT_USER\software\classes\Local Settings\MuiCache\a\52C64B7E\@%SystemRoot%\system32
binary data=44006F006D00610069006E0020004E0061006D0065002000530079007300740065006D002000280044004E005300290020005300650072007600650072002000540072007500730074000000
* Creates value "fveui.dll,-843=BitLocker Drive Encryption" in key HKEY_CURRENT_USER\software\classes\Local Settings\MuiCache\a\52C64B7E\@%SystemRoot%\System32
binary data=4200690074004C006F0063006B0065007200200044007200690076006500200045006E006300720079007000740069006F006E000000
* Creates value "fveui.dll,-844=BitLocker Data Recovery Agent" in key HKEY_CURRENT_USER\software\classes\Local Settings\MuiCache\a\52C64B7E\@%SystemRoot%\System32
binary data=4200690074004C006F0063006B00650072002000440061007400610020005200650063006F00760065007200790020004100670065006E0074000000
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000

Changes to filesystem:

* Modifies file C:\Windows\system32\CatRoot2\edb.chk
* Creates file (empty) C:\Users\cognus\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0Q6IVPI2\pdf[1].txt
* Creates file (empty) C:\Users\cognus\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0Q6IVPI2\pdf[2].txt
* Creates file C:\Users\cognus\AppData\Local\Temp\operaupdater.exe
* Modifies file (empty) C:\Users\cognus\Desktop\cutwail_Samples\f4a592dbc0f65730ec6dbdbb2b1398cfe5a191584dcdc1ee7a960e9b881f32de.exe

Network services:

* Queries DNS "babystitch.com.au".
* Queries DNS "guincorp.com".
* Queries DNS "incoming.telemetry.mozilla.org".
* Queries DNS "pipeline-tee-p-elb-1rmutea6wo4sp-880153968.us-west-2.elb.amazonaws.com".
* Queries DNS "teredo.ipv6.microsoft.com".
* C:\Sandbox\cognus\DefaultBox\user\current\AppData\Local\Temp\operaupdater.exe Connects to "182.160.154.51" on port 443 (TCP - HTTPS).
* C:\Sandbox\cognus\DefaultBox\user\current\AppData\Local\Temp\operaupdater.exe Connects to "202.181.185.163" on port 443 (TCP - HTTPS).

Process/window/string information:

* Checks for debuggers.
* Creates process "C:\Users\cognus\AppData\Local\Temp\operaupdater.exe, "C:\Users\cognus\AppData\Local\Temp\operaupdater.exe" , C:\Users\cognus\AppData\Local\Temp\".
* Injects code into process "C:\Sandbox\cognus\DefaultBox\user\current\AppData\Local\Temp\operaupdater.exe".
* Enables privilege SeAuditPrivilege.
* Injects code into process "C:\Program Files\Sandboxie\SandboxieCrypto.exe".
* Enables process privileges.

Additional Information:

How To Remove FAX_93-238738192_19.exe

1.Download antivirus for pc
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where FAX_93-238738192_19.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top