Home » Virus List
Worm.Generic
Risk Level 1
 
File Size : 401408 KB
File Type : Portable Executable 32
File Name

osoba.exe

MD5

b15d79b2229f26a498c7431afb14afa3

SHA1

a8050aee2a56fb2dd5260d86de72ef9bc9d0e09c

SHA256

6940fd874ac91fdc58e314a3de2e1259cd7fee08ac371854c8

General information:

* File name: C:\Users\cognus\Desktop\Analyzed Viruses\6 June 2016\New folder\Sample\b15d79b2229f26a498c7431afb14afa3.exe

Changes to registry :

* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Creates value "(Default)=BA7458C96CEAF9E3BA43563F3998066AC29E17D5C8099155" in key HKEY_USERS\current
* Creates value "Viac=8C94975BCA758A62B6CBEAC4369613B893F149B634E6A4DD" in key HKEY_CURRENT_USER\software\Microsoft\Apugac
* Creates value "Unyzy=729F31AD249B648C5825042AD878FD567D1FA75887A3019AFDF7562AEF49B87535922FB2C16128F0B5EC4D10EA1E248AC3D5FB48F5E75EC2297DF2B579B1F67B5BD452F8290BEE4A349BBC0352671D2B9E9CD1A3D33D6282ED980D90D7C94F30EDDB87D377D004B0C8078793D10E3157A4F69E52D9E810E99A1B18ECF8B71003353374801F0C461C53FCEFBB26402DF6A91B91DF7376E966CBF6FD86A7E35CCC3D6E7B5A7BCC0A12C31E1AFF40719F64340DEB60F1C79920EF860ACCFE11FC7408882BD15A12193716F7C203784097C59914531A96390B" in key HKEY_CURRENT_USER\software\Microsoft\Apugac
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d04f3b-1c7e-11e6-979c-806e6f6e6963}
old value empty
* Empties value "CurrentLevel" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
old value "CurrentLevel=00010500"
* Empties value "1406" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
old value "1406=00000003"
* Empties value "CurrentLevel" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
old value "CurrentLevel=00011000"
* Empties value "1609" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
old value "1609=00000001"
* Empties value "1A05" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
old value "1A05=00000001"
* Empties value "1406" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
old value "1406=00000003"
* Empties value "CurrentLevel" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
old value "CurrentLevel=00011500"
* Empties value "1609" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
old value "1609=00000001"
* Empties value "1A10" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
old value "1A10=00000001"
* Empties value "1A05" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
old value "1A05=00000001"
* Empties value "CurrentLevel" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
old value "CurrentLevel=00012000"
* Empties value "1A10" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
old value "1A10=00000003"
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "HWID=7B33324137464134302D453646432D343336432D383741422D3135464441463235353333417D" in key HKEY_CURRENT_USER\software\WinRAR
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000
* Creates value "b15d79b2229f26a498c7431afb14afa3.exe=Rhapsodized" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\cognus\Desktop\Analyzed Viruses\6 June 2016\New folder\Sample
binary data=520068006100700073006F00640069007A00650064000000
* Creates value "otomy.exe=Rhapsodized" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Sandbox\cognus\DefaultBox\user\current\AppData\Roaming\Ufohy
binary data=520068006100700073006F00640069007A00650064000000
* Creates value "cmd.exe=Windows Command Processor" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32
binary data=570069006E0064006F0077007300200043006F006D006D0061006E0064002000500072006F0063006500730073006F0072000000

Changes to filesystem:

* Creates file (empty) C:\Users\cognus\AppData\Roaming\Irozil\ovfex.usu
* Creates file C:\Users\cognus\AppData\Roaming\Ufohy\otomy.exe
* Modifies file (empty) C:\Users\cognus\Desktop\Analyzed Viruses\6 June 2016\New folder\Sample\b15d79b2229f26a498c7431afb14afa3.exe

Network services:

* Queries DNS "kbfvzoboss.bid".
* Queries DNS "clients4.google.com".
* C:\Users\cognus\Desktop\Analyzed Viruses\6 June 2016\New folder\Sample\b15d79b2229f26a498c7431afb14afa3.exe Connects to "198.105.221.6" on port 80 (TCP - HTTP).
* Downloads file from "google.com/".
* Downloads file from "dlg-configs.buzzrin.de /config-from-production".
* Downloads file from "dlg-messages.buzzrin.de /1/dg/3/error".
* Downloads file from "dlg-messages.buzzrin.de /1/dg/3".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/shareware-de-flow-5-text-en-us.zip".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/last.zip".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/yessearches-single-text-en-us.zip".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/progress.zip".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/base.zip".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/pcspeedup-single-text-en-us.zip".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/opera-single-text-en-us.zip".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/my-pc-backup-single-text-en-us.zip".
* Downloads file from "www.shareware.de/images/software_icon_large/spintires-icon-546ac4be44d75.png".
* Downloads file from "crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl".
* Downloads file from "ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR64T7ooMQqLLQoy%2BemBUYZQOKh6QQUkK9qOpRaC9iQ6hJWc99DtDoo2ucCEQDKfgk4eFlnv9iV6q4yK2qS".
* Downloads file from "d3j30ujq5cgnz5.cloudfront.net/main/cos_setup.exe".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q5t17hcl?uid=B3A57DB7115B1E428081695633F67282&update0=version,201606061059&update1=sys,Windows.7.Professional&update4=ref,cos&update5=mode,&update6=sys0,Windows&update7=sys1,7&update8=sys2,Professional&update9=sys3,&update10=sys4,".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/gzi4nvrb?uid=B3A57DB7115B1E428081695633F67282&update0=version,201606061059&update1=sys,Windows.7.Professional&update4=ref,cos&update5=mode,&update6=sys0,Windows&update7=sys1,7&update8=sys2,Professional&update9=sys3,&update10=sys4,".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q26tzhy6?uid=262929407_198339_B84975D2&update0=version,201606061059&update1=sys,Windows.7.Professional&update4=ref,cos&update5=mode,&update6=sys0,Windows&update7=sys1,7&update8=sys2,Professional&update9=sys3,&update10=sys4,".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/u2z5hyl2?uid=262929407_198339_B84975D2&update0=version,201606061059&update1=sys,Windows.7.Professional&update4=ref,cos&update5=mode,&update6=sys0,Windows&update7=sys1,7&update8=sys2,Professional&update9=sys3,&update10=sys4,".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q5t17hcl?uid=B3A57DB7115B1E428081695633F67282&a=visit.dl.winmain.prestart4.448fbbb8135cfae740b9d9d720815259.1".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q26tzhy6?uid=262929407_198339_B84975D2&a=visit.dl.winmain.prestart4.448fbbb8135cfae740b9d9d720815259.1".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q5t17hcl?uid=B3A57DB7115B1E428081695633F67282&a=visit.dl.winmain.start.010".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q26tzhy6?uid=262929407_198339_B84975D2&a=visit.dl.winmain.start.010".
* Downloads file from "d3pa4xcf10sh05.cloudfront.net /i4/22".
* Downloads file from "d1139uuzpj6eq0.cloudfront.net/r6/22_4c47b1a5000031b75208dcf163ffc9fd/1.n.7z".
* Downloads file from "yahoo.com/setting.doc".
* Downloads file from "www.yahoo.com/setting.doc".
* Downloads file from "crl.usertrust.com/AddTrustExternalCARoot.crl".
* Downloads file from "crl.microsoft.com/pki/crl/products/microsoftrootcert.crl".
* Downloads file from "crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl".
* Downloads file from "pki.google.com/GIAG2.crl".
* Downloads file from "crl.microsoft.com/pki/crl/products/WinPCA.crl".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q5t17hcl?uid=B3A57DB7115B1E428081695633F67282&a=visit.dl.winmain.prestart4.448fbbb8135cfae740b9d9d720815259.2".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q26tzhy6?uid=262929407_198339_B84975D2&a=visit.dl.winmain.prestart4.448fbbb8135cfae740b9d9d720815259.2".
* Downloads file from "kbfvzoboss.bid /alpha/gate.php".
* Uses POST methods in HTTP.

Process/window/string information:

* Gets user name information.
* Gets system default language ID.
* Gets input locale identifiers.
* Gets volume information.
* Gets computer name.
* Checks for debuggers.
* Enables privilege SeImpersonatePrivilege.
* Enables privilege SeTcbPrivilege.
* Enables privilege SeChangeNotifyPrivilege.
* Enables privilege SeCreateTokenPrivilege.
* Enables privilege SeBackupPrivilege.
* Enables privilege SeRestorePrivilege.
* Enables privilege SeIncreaseQuotaPrivilege.
* Enables privilege SeAssignPrimaryTokenPrivilege.
* Creates a mutex "Global\{974055F6-E82B-72CD-8F9E-2F20AC72ACD3}".
* Creates a mutex "Global\{CA0C47D5-FA08-2F81-8F9E-2F20AC72ACD3}".
* Enables privilege SeSecurityPrivilege.
* Creates process "null, "C:\Users\cognus\AppData\Roaming\Ufohy\otomy.exe", C:\Users\cognus\AppData\Roaming".
* Injects code into process "C:\Sandbox\cognus\DefaultBox\user\current\AppData\Roaming\Ufohy\otomy.exe".
* Creates an event named "Local\{B6A19296-2F4B-532C-8F9E-2F20AC72ACD3}".
* Creates a mutex "Local\!IETld!Mutex".
* Creates process "null, "C:\Windows\system32\cmd.exe" /c "C:\Users\cognus\AppData\Local\Temp\tmp8484b3fd.bat", null".
* Injects code into process "C:\Windows\System32\cmd.exe".
* Creates a mutex "Local\{63E2503D-EDE0-866F-8F9E-2F20AC72ACD3}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-9526-4474B6CAC787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-9126-4474B2CAC787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-9927-4474BACBC787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-FD27-4474DECBC787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-0927-44742ACBC787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-3D27-44741ECBC787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-4D27-44746ECBC787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-6927-44744ACBC787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-9924-4474BAC8C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-8124-4474A2C8C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-1524-447436C8C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-5524-447476C8C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-6524-447446C8C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-F925-4474DAC9C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-0125-447422C9C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-B522-447496CEC787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-9123-4474B2CFC787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-F523-4474D6CFC787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-E523-4474C6CFC787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-6123-447442CFC787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-9D20-4474BECCC787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-E920-4474CACCC787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-3520-447416CCC787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-7921-44745ACDC787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-1521-447436CDC787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-812E-4474A2C2C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-D52E-4474F6C2C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-852F-4474A6C3C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-892F-4474AAC3C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-D52F-4474F6C3C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-152C-447436C0C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-352C-447416C0C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-492A-44746AC6C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-D129-4474F2C5C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-F529-4474D6C5C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-592B-44747AC7C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-FD28-4474DEC4C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-5121-447472CDC787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-B928-44749AC4C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-492C-44746AC0C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-DD2B-4474FEC7C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-B92C-44749AC0C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-B922-44749ACEC787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-A929-44748AC5C787}".
* Injects code into process "C:\Users\cognus\Desktop\Analyzed Viruses\6 June 2016\New folder\Sample\b15d79b2229f26a498c7431afb14afa3.exe".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-9D2C-4474BEC0C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-B52E-447496C2C787}".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-1523-447436CFC787}".
* Creates a mutex "Global\{F606D3EE-6E33-138B-8F9E-2F20AC72ACD3}".
* Creates a mutex "Local\{76C25D7B-E0A6-934F-8F9E-2F20AC72ACD3}".
* Creates a mutex "Local\{AC0F3B78-86A5-4982-8F9E-2F20AC72ACD3}".
* Creates process "null, "C:\Users\cognus\AppData\Local\Temp\8431370.bat" "C:\Users\cognus\Desktop\Analyzed Viruses\6 June 2016\New folder\Sample\b15d79b2229f26a498c7431afb14afa3.exe" , C:\Users\cognus\Desktop\Analyzed Viruses\6 June 2016\New folder\Sample".
* Creates a mutex "Global\{E5C21BC6-A61B-004F-7528-447456C4C787}".
* Enables process privileges.
* Sleeps 3151 seconds.

Additional Information:

How To Remove osoba.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where osoba.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top