Home » Virus List
Trojan.Agent
Risk Level 1
 
File Size : 2236830 KB
File Type : Portable Executable file Win32 EXE
File Name

Setup2.exe

MD5

74e98c67e30df85b7f6e187866d81e36

SHA1

62188ec55bc34b6ef6d841543162b4e6c9a33395

SHA256

5b223453ec0dbdb3216be5baa5e04585c778e57939c1104537

General information:

* File name: C:\Users\vmware\Desktop\report\Setup2.exe

Changes to registry :

* Creates value "Setup2.exe=Setup2" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\vmware\Desktop\report
binary data=5300650074007500700032000000
* Creates value "wscript.exe=Microsoft Windows Based Script Host" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32
binary data=4D006900630072006F0073006F00660074002000AE002000570069006E0064006F00770073002000420061007300650064002000530063007200690070007400200048006F00730074000000
* Creates value "vbc.exe=vbc" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\Microsoft.NET\Framework\v2.0.50727
binary data=7600620063000000
* Creates value "cmd.exe=Windows Command Processor" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32
binary data=570069006E0064006F0077007300200043006F006D006D0061006E0064002000500072006F0063006500730073006F0072000000
* Creates value "PING.EXE=TCP/IP Ping Command" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32
binary data=5400430050002F00490050002000500069006E006700200043006F006D006D0061006E0064000000
* Creates value "i1ma9.exe=i1ma9" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Sandbox\vmware\DefaultBox\user\current\AppData\Local\Temp\ws38f
binary data=690031006D00610039000000
* Creates value "ZCdpPX.exe=Bootstrapper Application" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Sandbox\vmware\DefaultBox\user\current\AppData\Local\Temp
binary data=42006F006F0074007300740072006100700070006500720020004100700070006C00690063006100740069006F006E000000

Changes to filesystem:

* Modifies file C:\Windows\WindowsUpdate.log
* Creates hidden folder C:\ZCdpPXZCdpPX
* Creates file C:\ZCdpPXZCdpPX\x
* Creates file C:\ZCdpPXZCdpPX\ZCdpPX.exe
* Creates file C:\Users\vmware\AppData\Local\Temp\PDApp.log
* Creates file C:\Users\vmware\AppData\Local\Temp\ws38f\eoxnb.vbs
* Creates file C:\Users\vmware\AppData\Local\Temp\ws38f\i1ma9.exe
* Creates file C:\Users\vmware\AppData\Local\Temp\ws38f\x
* Creates file C:\Users\vmware\AppData\Local\Temp\ZCdpPX.exe
* Creates hidden folder C:\Users\vmware\AppData\Roaming\ConfigsEx
* Creates file C:\Users\vmware\AppData\Roaming\ConfigsEx\ClipBoard.txt
* Creates file C:\Users\vmware\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZCdpPX.vbs

Network services:

* Queries DNS "resolver2.qheal.ctmail.com".
* Queries DNS "resolver5.qheal.ctmail.com".
* Queries DNS "webres2.qheal.ctmail.com".
* Queries DNS "www.msftncsi.com".
* Queries DNS "na1r.services.adobe.com".
* Queries DNS "AVbnVWVNtf.truedns.xyz".
* Queries DNS "mobile.pipe.aria.microsoft.com".
* Queries DNS "resolver3.qheal.ctmail.com".
* Queries DNS "webres4.qheal.ctmail.com".
* Queries DNS "resolver4.qheal.ctmail.com".
* Queries DNS "webres1.qheal.ctmail.com".
* Queries DNS "webres3.qheal.ctmail.com".
* Queries DNS "webres5.qheal.ctmail.com".
* Queries DNS "resolver1.qheal.ctmail.com".
* C:\Sandbox\vmware\DefaultBox\user\current\AppData\Local\Temp\ZCdpPX.exe Connects to "52.4.216.41" on port 443 (TCP - HTTPS).
* C:\Sandbox\vmware\DefaultBox\user\current\AppData\Local\Temp\ZCdpPX.exe Connects to "52.6.143.110" on port 443 (TCP - HTTPS).

Process/window/string information:

* Gets user name information.
* Gets system default language ID.
* Gets input locale identifiers.
* Gets volume information.
* Checks for debuggers.
* Installs a hook procedure that monitors keystroke messages.
* Checks if user is admin.
* Creates process "C:\Windows\System32\WScript.exe, "C:\Windows\System32\WScript.exe" "C:\Users\vmware\AppData\Local\Temp\ws38f\eoxnb.vbs" , C:\Users\vmware\AppData\Local\Temp\ws38f".
* Injects code into process "C:\Windows\System32\wscript.exe".
* Creates process "C:\Users\vmware\AppData\Local\Temp\ws38f\i1ma9.exe, "C:\Users\vmware\AppData\Local\Temp\ws38f\i1ma9.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, C:\Users\vmware\AppData\Local\Temp\ws38f".
* Injects code into process "C:\Sandbox\vmware\DefaultBox\user\current\AppData\Local\Temp\ws38f\i1ma9.exe".
* Creates process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, null, null".
* Injects code into process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe".
* Enumerates running processes.
* Creates process "C:\Users\vmware\AppData\Local\Temp\ZCdpPX.exe, "C:\Users\vmware\AppData\Local\Temp\ZCdpPX.exe" , C:\Users\vmware\AppData\Local\Temp\".
* Injects code into process "C:\Sandbox\vmware\DefaultBox\user\current\AppData\Local\Temp\ZCdpPX.exe".
* Creates process "C:\Windows\System32\cmd.exe, "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 && move C:\ZCdpPXZCdpPX\ZCdpPX.vbs "C:\Users\vmware\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZCdpPX.vbs", C:\".
* Injects code into process "C:\Windows\System32\cmd.exe".
* Creates a mutex "PDApp.log".
* Creates an event named "CancelPort".
* Creates process "C:\Windows\system32\PING.EXE, ping 127.0.0.1 , C:\".
* Enables privilege SeAuditPrivilege.
* Injects code into process "C:\Windows\System32\PING.EXE".
* Creates a mutex "Global\WindowsUpdateTracingMutex".
* Creates process "C:\Users\vmware\AppData\Local\Temp\ws38f\i1ma9.exe, null, null".
* Enables privilege SeShutdownPrivilege.
* Enables privilege SeDebugPrivilege.
* Enables privilege SeTcbPrivilege.
* Creates a mutex "72d4806e-1977-4245-9eaf-89e023bafcd0".
* Enables process privileges.
* Sleeps 767 seconds.

Additional Information:

How To Remove Setup2.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where Setup2.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top