Home » Virus List
Trojan.Agent
Risk Level 1
 
File Size : 501760 KB
File Type : Portable Executable 32
File Name

icedragon.exe

MD5

aed10a838a87782e1e612ecd7a2a7451

SHA1

7708319821f6703b750cef1bcb278a68dc00e1bd

SHA256

da72379bb0e1e2df71515279f06ca12aafa7b8c51aca1af115

General information:

* File name: C:\Users\cognus\Desktop\Analyzed Viruses\2 June 2016\Trojan.Injector\Sample\aed10a838a87782e1e612ecd7a2a7451.exe

Changes to registry :

* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d04f3b-1c7e-11e6-979c-806e6f6e6963}
old value empty
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000
* Creates value "schtasks.exe=Manages scheduled tasks" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32
binary data=4D0061006E00610067006500730020007300630068006500640075006C006500640020007400610073006B0073000000

Changes to filesystem:

* Creates file C:\ProgramData\Folder\FileName.exe
* Creates file C:\Users\cognus\AppData\Roaming\B0B6C23C-49A9-4738-950A-C52B4E968E49\run.dat
* Creates file C:\Users\cognus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FileName.url

Network services:

* Queries DNS "dns.msftncsi.com".
* Queries DNS "www.google.com".
* Queries DNS "wpad.localdomain".
* Queries DNS "www.google.co.in".
* Queries DNS "clients4.google.com".
* Queries DNS "translate.googleapis.com".
* Queries DNS "oibphfp.localdomain".
* Queries DNS "abmxysbb.localdomain".
* Queries DNS "lbrqjqfrighhjaa.localdomain".
* Queries DNS "ssl.gstatic.com".
* Downloads file from "yahoo.com/setting.doc".
* Downloads file from "www.yahoo.com/setting.doc".

Process/window/string information:

* Gets volume information.
* Gets computer name.
* Checks for debuggers.
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3972".
* Enables privilege SeDebugPrivilege.
* Creates an event named "Global\CorDBIPCSetupSyncEvent_2352".
* Creates a mutex "Global\{0c945b65-0475-4bf6-bb7a-7a49ebd90c86}".
* Creates process "null, "schtasks.exe" /create /f /tn "LAN Host" /xml "C:\Users\cognus\AppData\Local\Temp\tmp32F2.tmp", C:\Users\cognus\Desktop\Analyzed Viruses\2 June 2016\Trojan.Injector\Sample".
* Injects code into process "C:\Windows\System32\schtasks.exe".
* Creates a mutex "Global\.net clr networking".
* Enumerates running processes.
* Enables process privileges.
* Sleeps 1421 seconds.

Additional Information:

How To Remove icedragon.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where icedragon.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top