Home » Virus List
Trojan.Agent
Risk Level 1
 
File Size : 22020096 KB
File Type : Portable Executable file
File Name

LegendCraft.exe

MD5

6d6a72d00436b92f3da93c1248b20dbf

SHA1

0c8a06db1dc47ce85a880a8774b6d80ef60b1c80

SHA256

268dcd4e0a2963cbae2bed95f8cc0782cd33c7137718c4e946

General information:

LegendCraft.exe

Changes to registry :

* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\RegAsm_RASAPI32
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\RegAsm_RASAPI32
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\RegAsm_RASAPI32
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\RegAsm_RASAPI32
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\RegAsm_RASMANCS
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\RegAsm_RASMANCS
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\RegAsm_RASMANCS
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\RegAsm_RASMANCS
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Creates Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaResources\msvideo
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d830145d-1c80-11e6-b8aa-806e6f6e6963}
old value empty
* Creates value "Microsoft Corporation FYWWEhSMGdcfOJYX=C:\Users\vmware\AppData\Roaming\FYWWEhSMGdcfOJYX.exe" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RunOnce
binary data=43003A005C00550073006500720073005C0076006D0077006100720065005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C0046005900570057004500680053004D0047006400630066004F004A00590058002E006500780065000000
* Creates value "Microsoft Corporation aELaNKBXRPOBYFeS=C:\Users\vmware\AppData\Roaming\aELaNKBXRPOBYFeS.exe" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RunOnce
binary data=43003A005C00550073006500720073005C0076006D0077006100720065005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C00610045004C0061004E004B0042005800520050004F00420059004600650053002E006500780065000000
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000
* Creates value "6d6a72d00436b92f3da93c1248b20dbf.exe=6d6a72d00436b92f3da93c1248b20dbf.exe" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\vmware\Desktop\malware
binary data=360064003600610037003200640030003000340033003600620039003200660033006400610039003300630031003200340038006200320030006400620066002E006500780065000000
* Creates value "server.exe=server.exe" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Sandbox\vmware\DefaultBox\user\current\AppData\Roaming
binary data=7300650072007600650072002E006500780065000000
* Creates value "scvhostt.exe=scvhostt.exe" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Sandbox\vmware\DefaultBox\user\current\AppData\Roaming
binary data=73006300760068006F007300740074002E006500780065000000
* Creates value "RegAsm.exe=LolCache" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\Microsoft.NET\Framework\v2.0.50727
binary data=4C006F006C00430061006300680065000000

Changes to filesystem:

* Creates file C:\Users\vmware\AppData\Local\Temp\aELaNKBXRPOB
* Creates file C:\Users\vmware\AppData\Local\Temp\FYWWEhSMGdcf
* Creates file (hidden) C:\Users\vmware\AppData\Roaming\aELaNKBXRPOBYFeS.exe
* Creates file (hidden) C:\Users\vmware\AppData\Roaming\FYWWEhSMGdcfOJYX.exe
* Creates file C:\Users\vmware\AppData\Roaming\Imminent\Logs\25-05-2016
* Creates file (hidden) C:\Users\vmware\AppData\Roaming\scvhostt.exe
* Creates file (hidden) C:\Users\vmware\AppData\Roaming\server.exe

Network services:

* Queries DNS "wpad.localdomain".
* Queries DNS "xrise36.no-ip.info".
* Queries DNS "dns.msftncsi.com".
* Queries DNS "ip-api.com".
* Queries DNS "smokeandfly.pw".
* Queries DNS "hipstershizzle.pw".
* Queries DNS "safebrowsing.google.com".
* Queries DNS "safebrowsing-cache.google.com".
* Queries DNS "clients4.google.com".
* C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Connects to "209.58.180.196" on port 80 (TCP - HTTP).
* C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Connects to "185.56.30.170" on port 443 (TCP - HTTPS).
* Downloads file from "ip-api.com/json".
* Connects to FTP "185.56.30.170" sending as login "IN|vmware|WIN-OGE6F1P34CK|1873 0 * :IN|vmware|WIN-OGE6F1P34CK|1873" and password "".
* Connects to IRC using as nick "IN|vmware|WIN-OGE6F1P34CK|1873".

Process/window/string information:

* Keylogger functionality.
* Gets user name information.
* Gets input locale identifiers.
* Gets computer name.
* Decrypts data.
* Checks for debuggers.
* Installs a hook procedure that monitors keystroke messages.
* Removes Zone.Identifier information.
* Creates process "null, C:\Users\vmware\AppData\Roaming\server.exe, C:\Users\vmware\Desktop\malware".
* Injects code into process "C:\Sandbox\vmware\DefaultBox\user\current\AppData\Roaming\server.exe".
* Creates process "null, C:\Users\vmware\AppData\Roaming\scvhostt.exe, C:\Users\vmware\Desktop\malware".
* Injects code into process "C:\Sandbox\vmware\DefaultBox\user\current\AppData\Roaming\scvhostt.exe".
* Creates process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, null, null".
* Injects code into process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe".
* Enumerates running processes.
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3884".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_2560".
* Opens a service named "RASMAN".
* Creates a mutex "Global\.net clr networking".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_1268".
* Enables privilege SeAuditPrivilege.
* Creates a mutex "fb81552e-842e-493f-a3d9-c92db07478b4".
* Creates a mutex "eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-21-4181251035-1584676081-2777171207-1000".
* Enables privilege SeDebugPrivilege.
* Enables privilege SeCreateSymbolicLinkPrivilege.
* Enables privilege SeIncreaseBasePriorityPrivilege.
* Creates a mutex "dgfsdgfedghdfhjgfdjfggfdgfdg".
* Opens a service named "AudioSrv".
* Creates a mutex "Local\MidiMapper_modLongMessage_RefCnt".
* Enables process privileges.
* Sleeps 2771 seconds.

Additional Information:

How To Remove LegendCraft.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where LegendCraft.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top