Home » Virus List
Trojan.Agent
Risk Level 1
 
File Size : 4 KB
File Type : Portable Executable file Win32 EXE
File Name

output.92536418.txt

MD5

acc390944cbf3ceb2069c9c221c115c8

SHA1

a850c4db84845ac3f782c21341fa3926c5361c20

SHA256

e4abc2de4c001b3fbdca3bdb4343a0f07cab128c323007a853

General information:

* File name: C:\Users\Cognus\Desktop\malware sample\1 (5).exe

Changes to registry :

* Creates value "DisplayName=5297AB67E5658653200031002E0032002E0033002E0030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\R—«gåe†S
* Creates value "UninstallString=C:\Program Files\qingfengrili\Uninst.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\R—«gåe†S
binary data=43003A005C00500072006F006700720061006D002000460069006C00650073005C00710069006E006700660065006E006700720069006C0069005C0055006E0069006E00730074002E00650078006500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
* Creates value "DisplayIcon=C:\Program Files\qingfengrili\qfrl.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\R—«gåe†S
binary data=43003A005C00500072006F006700720061006D002000460069006C00650073005C00710069006E006700660065006E006700720069006C0069005C007100660072006C002E0065007800650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
* Creates value "DisplayVersion=1.2.3.0" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\R—«gåe†S
binary data=31002E0032002E0033002E003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
* Creates value "Publisher=5297AB67E5658653000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\R—«gåe†S
* Creates value "URLInfoAbout=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\R—«gåe†S
* Creates value "InstallLocation=C:\Program Files\qingfengrili\" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\R—«gåe†S
binary data=43003A005C00500072006F006700720061006D002000460069006C00650073005C00710069006E006700660065006E006700720069006C0069005C000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Creates value "InstallPath=C:\Program Files\qingfengrili\" in key HKEY_LOCAL_MACHINE\software\qingfengrili
binary data=43003A005C00500072006F006700720061006D002000460069006C00650073005C00710069006E006700660065006E006700720069006C0069005C000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{1a36211b-1230-11e6-a3ec-806e6f6e6963}
old value empty
* Modifies value "SavedLegacySettings=460000000C0000000900000000000000000000000000000004000000000000003037294946A8D101000000000000000000000000020000001700000000000000FE800000000000005C05060FE5E5E4920B0000001C00000000000000000000000000000000200000002000000010000001000000ED0300000906020008000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFC0B0EAF9D426D011BBBF00AA006C34E402000000C0A8EE800000000000000000609A3900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=460000000B0000000900000000000000000000000000000004000000000000003037294946A8D101000000000000000000000000020000001700000000000000FE800000000000005C05060FE5E5E4920B0000001C00000000000000000000000000000000200000002000000010000001000000ED0300000906020008000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFC0B0EAF9D426D011BBBF00AA006C34E402000000C0A8EE800000000000000000609A3900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "1 (5).exe=5297AB67E5658653895BC5880B7A8F5E0000" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\Cognus\Desktop\malware sample
* Creates value "LangID=0904" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000

Changes to filesystem:

* Creates file C:\Program Files\Common Files\qingfengrili\qingfengrili.ini
* Creates file C:\Program Files\qingfengrili\Clock32.dll
* Creates file C:\Program Files\qingfengrili\clock32.exe
* Creates file C:\Program Files\qingfengrili\Clock64.dll
* Creates file C:\Program Files\qingfengrili\clock64.exe
* Creates file C:\Program Files\qingfengrili\Config.ini
* Creates file C:\Program Files\qingfengrili\Data\1 (5)index.html
* Creates file C:\Program Files\qingfengrili\Data\2013.xml
* Creates file C:\Program Files\qingfengrili\Data\2013JieQi.xml
* Creates file C:\Program Files\qingfengrili\Data\2014.xml
* Creates file C:\Program Files\qingfengrili\Data\2014JieQi.xml
* Creates file C:\Program Files\qingfengrili\Data\HuangLi.mdb
* Creates file C:\Program Files\qingfengrili\Data\UserNoteText.xml
* Creates file C:\Program Files\qingfengrili\online_c.html
* Creates file C:\Program Files\qingfengrili\Power.exe
* Creates file C:\Program Files\qingfengrili\qfrl.exe
* Creates file C:\Program Files\qingfengrili\SoftApp.ini
* Creates file C:\Program Files\qingfengrili\SoftUpd.exe
* Creates file C:\Program Files\qingfengrili\uninst.exe
* Modifies file (hidden) C:\Users\Cognus\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
* Modifies file (hidden) C:\Users\Cognus\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
* Creates file C:\Users\Cognus\AppData\Local\Temp\nsr260D.tmp\Banner.dll
* Creates file C:\Users\Cognus\AppData\Local\Temp\nsr260D.tmp\bg2_1.jpg
* Creates file C:\Users\Cognus\AppData\Local\Temp\nsr260D.tmp\bg2_2.png
* Creates file C:\Users\Cognus\AppData\Local\Temp\nsr260D.tmp\btn2_1.png
* Creates file C:\Users\Cognus\AppData\Local\Temp\nsr260D.tmp\btn2_2.png
* Creates file C:\Users\Cognus\AppData\Local\Temp\nsr260D.tmp\Button.dll
* Creates file C:\Users\Cognus\AppData\Local\Temp\nsr260D.tmp\chk2_1.png
* Creates file C:\Users\Cognus\AppData\Local\Temp\nsr260D.tmp\chk2_2.png
* Creates file C:\Users\Cognus\AppData\Local\Temp\nsr260D.tmp\close.png
* Creates file C:\Users\Cognus\AppData\Local\Temp\nsr260D.tmp\inetc.dll
* Creates file C:\Users\Cognus\AppData\Local\Temp\nsr260D.tmp\info.png
* Creates file C:\Users\Cognus\AppData\Local\Temp\nsr260D.tmp\nsDialogs.dll
* Creates file C:\Users\Cognus\AppData\Local\Temp\nsr260D.tmp\NSISdl.dll
* Creates file C:\Users\Cognus\AppData\Local\Temp\nsr260D.tmp\riliUI.dll
* Creates file C:\Users\Cognus\AppData\Local\Temp\nsr260D.tmp\socket2.dll
* Creates file C:\Users\Cognus\AppData\Local\Temp\nsr260D.tmp\System.dll

Network services:

* Queries DNS "confignew.3lsoft.com".
* Downloads file from "confignew.3lsoft.com/20141128/14.html?cid=0001&rand=52232361369".
* Downloads file from "confignew.3lsoft.com/14.html?cid=0001&rand=52232361369".
* Downloads file from "downcdn1.shgaoxin.net/other/360initest.cab".
* Downloads file from "xiazai.rilibiao.com.cn/xml/switch_config.xml".
* Downloads file from "statistics.haharili.com/weatherapi".
* Downloads file from "city.ip138.com/ip2city.asp".
* Downloads file from "downcdn1.shgaoxin.net/shichangbu/all_active.html".
* Downloads file from "downcdn1.shgaoxin.net/shichangbu/nsl_active.html".
* Downloads file from "xiazai.rilibiao.com.cn/xml/info_configex.xml".
* Downloads file from "s6.cnzz.com/z_stat.php?id=1253415983&web_id=1253415983".
* Downloads file from "s6.cnzz.com/z_stat.php?id=1253458943&web_id=1253458943".
* Downloads file from "news.pptv.com/?rcc_id=dsjtg_1".
* Downloads file from "z6.cnzz.com/stat.htm?id=1253458943&r=&lg=en-us&ntime=none&cnzz_eid=none&showp=1600x900&t=&h=1&rnd=893038613".
* Downloads file from "z6.cnzz.com/stat.htm?id=1253415983&r=&lg=en-us&ntime=none&cnzz_eid=none&showp=1600x900&t=&h=1&rnd=846771003".
* Downloads file from "c.cnzz.com/core.php?web_id=1253458943&t=z".
* Downloads file from "c.cnzz.com/core.php?web_id=1253415983&t=z".
* Downloads file from "statistic.haharili.com/weatherapi".
* Downloads file from "statistic.haharili.com/weatherapi/".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20160505194229/header.min.css".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20160509165650/channel-common.min.css".
* Downloads file from "static9.pplive.cn/pptv/main/v_20141015100259/seajs/2.2.1/sea.js".
* Downloads file from "static9.pplive.cn/pptv/index/v_201202141528/images/no.gif".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20140912103250/modules/g-1408-hd/images/loader2.gif".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20160505194229/modules/g-1408-hd/images/icon-point-blue.png".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20141223141121/modules/g-1408-hd/images/app1.jpg".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20160505194229/modules/g-1408-hd/images/ic14.png".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20141223141121/modules/g-1408-hd/images/app3.jpg".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20160505194229/modules/g-1408-hd/images/g-1408-hd-sprite.png".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20160505194229/modules/g-1408-hd/images/ic6.png".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20160505194229/modules/g-1408-hd/images/ic7.png".
* Downloads file from "static1.pplive.cn/cmsfile/78/18/c54916896efd0a7d5ee6fbde8ad905fa.png".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20160505194229/modules/g-1408-hd/images/ic4.png".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20160505194229/modules/g-1408-hd/images/ic5.png".
* Downloads file from "sr3.pplive.com/cms/25/74/43dfe4287303c40f20683a2e006b1928.png".
* Downloads file from "sr3.pplive.com/cms/15/60/ce6781e3540626bdea6e35d44f5ec13c.jpg".
* Downloads file from "sr1.pplive.com/cms/11/79/f02f47046a70c09161d7f3d221812c20.jpg".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20160412140757/ui/ui-index-icon/images/icon-sffbb51807c.png".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20160505194229/modules/g-1408-hd/images/ic13.png".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20160505194229/modules/g-1408-hd/images/ic20.png".
* Downloads file from "static9.pplive.cn/mini/v3/url/bg.png".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20160505194229/modules/g-1408-hd/images/ic8.png".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20160505194229/modules/g-1408-hd/images/ic10.png".
* Downloads file from "static9.pplive.cn/mini/v3/111202/v_20160120142210/images/vipicon.png".
* Downloads file from "sr3.pplive.com/cms/27/78/a33200ff30c502e55fc8064a14ea2a2d.jpg".
* Downloads file from "sr1.pplive.com/cms/18/26/0c8321fe00b70bb5383b066938d38d3e.jpg".
* Downloads file from "sr3.pplive.com/cms/25/63/d96a56665f855309a1b249ffe00f6d86.jpg".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20160505194229/modules/g-1408-hd/images/ic16.png".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20160505194229/modules/g-1408-hd/images/bg1.png".
* Downloads file from "sr4.pplive.com/cms/81/82/b38dc560aea37cc1954628f22240974d.jpg".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20140911174634/basic/images/index-list-bg.jpg".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20140910122440/basic/images/index-list-bg.jpg".
* Downloads file from "sr2.pplive.com/cms/16/16/80b5a3806002a2ff81bd042990ac5aac.jpg".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20160509165650/modules/news-header-video/news-pic-bg.png".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20140910122440/basic/images/ico-video2.png".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20140910122440/basic/images/ico-video3.png".
* Downloads file from "sr3.pplive.com/cms/29/68/d0dd0759528f1662f2a0553c1284db98.png".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20140910122440/basic/images/pic-bg.png".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20140910185819/basic/images/ico_tag24.png".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20160427165946/basic/images/ico_tag24.png".
* Downloads file from "static9.pplive.cn/pub/flagment/v_20150309150327/basic/images/index-list-bg2.jpg".
* Downloads file from "dl.360safe.com/gf/360IniVerify.cab".
* Downloads file from "sr1.pplive.com/cms/37/05/f61840857f8665f9b9bbbe342160b2f1.jpg".
* Downloads file from "news.pptv.com/s=%22v-bg%22".
* Downloads file from "dl.360safe.com/gf/360ini.cab".
* Downloads file from "s.360.cn/hips/update/inst.htm?m=8eb47bbf275ffb80e1c148f7c5cb4602&v=1001164&w=0".
* Downloads file from "s.360.cn/hips/update/inst.htm?m=8eb47bbf275ffb80e1c148f7c5cb4602&v=1001164&s=476&r=0&d=21123".
* Downloads file from "s.360.cn/hips/update/inst.htm?m=8eb47bbf275ffb80e1c148f7c5cb4602&v=1001164&s=294&r=0&d=21123".
* Downloads file from "s.360.cn/hips/update/inst.htm?m=8eb47bbf275ffb80e1c148f7c5cb4602&v=1001164&s=285&r=0&d=21123".
* Downloads file from "downcdn1.shgaoxin.net/shichangbu/xyb/yj0506.html".
* Downloads file from "s.360.cn/hips/update/inst.htm?m=8eb47bbf275ffb80e1c148f7c5cb4602&v=1001164&s=450&r=0&d=999999".
* Downloads file from "s6.cnzz.com/z_stat.php?id=1253407789&web_id=1253407789".
* Downloads file from "z6.cnzz.com/stat.htm?id=1253407789&r=&lg=en-us&ntime=none&cnzz_eid=333811275-1462868135-&showp=1600x900&t=&h=1&rnd=2074906912".
* Downloads file from "c.cnzz.com/core.php?web_id=1253407789&t=z".
* Downloads file from "qurl.f.360.cn /wdinfo.php".
* Downloads file from "cnzz.mmstat.com/9.gif?abc=1&rnd=940735739".
* Downloads file from "s.360.cn/hips/update/inst.htm?m=8eb47bbf275ffb80e1c148f7c5cb4602&v=1001164&s=451&r=0&d=999999".
* Downloads file from "pcookie.cnzz.com/app.gif?&cna=HJO4D4G9bAoCAXqpZFvKYXKq".
* Uses POST methods in HTTP.

Process/window/string information:

* Gets user name information.
* Gets input locale identifiers.
* Gets volume information.
* Gets computer name.
* Checks for debuggers.
* Enumerates running processes.
* Enables privilege SeAuditPrivilege.
* Opens a service named "Sens".
* Opens a service named "rasman".
* Creates a mutex "IESQMMUTEX_0_208".
* Creates a mutex "Local\!IETld!Mutex".
* Opens a service named "Csc".
* Opens a service named "CscService".
* Creates process "null, "C:\Program Files\qingfengrili\qfrl.exe" InstallSpreadOperate 1 (5)160510, null".
* Injects code into process "C:\Sandbox\Cognus\DefaultBox\drive\C\Program Files\qingfengrili\qfrl.exe".

Additional Information:

How To Remove output.92536418.txt

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where output.92536418.txt located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top