Home » Virus List
Trojan.Agent
Risk Level 1
 
File Size : 827904 KB
File Type : Portable Executable 32
File Name

SKMBT_C22416041913450.exe

MD5

b081ac21227d536ca89450fdb65827ae

SHA1

7ef464f527c0bf94c7c1010b5fea074856e40cd9

SHA256

70c269640837986014ef6b38af91388b995176752801252c4f

General information:

* File name: C:\Users\cognus\Desktop\Analyzed Viruses\4 June 2016\New folder\Samples\b081ac21227d536ca89450fdb65827ae.exe

Changes to registry :

* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d04f3b-1c7e-11e6-979c-806e6f6e6963}
old value empty
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000
* Creates value "b081ac21227d536ca89450fdb65827ae.exe=Interactive Services Detection" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\cognus\Desktop\Analyzed Viruses\4 June 2016\New folder\Samples
binary data=49006E00740065007200610063007400690076006500200053006500720076006900630065007300200044006500740065006300740069006F006E000000
* Creates value "RegAsm.exe=Phulli" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\Microsoft.NET\Framework\v2.0.50727
binary data=5000680075006C006C0069000000

Changes to filesystem:

* Creates file C:\Users\cognus\AppData\Roaming\pid.txt
* Creates file C:\Users\cognus\AppData\Roaming\pidloc.txt

Network services:

* Queries DNS "www.msftncsi.com".
* Queries DNS "dns.msftncsi.com".
* Queries DNS "www.google.com".
* Queries DNS "wpad.localdomain".
* Queries DNS "www.google.co.in".
* Queries DNS "clients4.google.com".
* Queries DNS "translate.googleapis.com".
* Queries DNS "eygfxthvxu.localdomain".
* Queries DNS "kfmnrmkua.localdomain".
* Queries DNS "vhmwwkjbrgnyc.localdomain".
* Queries DNS "www.virustotal.com".
* Queries DNS "ssl.gstatic.com".
* Queries DNS "virustotalcloud.appspot.com".
* Queries DNS "ajax.googleapis.com".
* Queries DNS "ssl.google-analytics.com".
* Queries DNS "clients1.google.com".
* Queries DNS "stats.g.doubleclick.net".
* Queries DNS "safebrowsing.google.com".
* Queries DNS "safebrowsing-cache.google.com".
* Queries DNS "clients2.google.com".
* Queries DNS "www.gstatic.com".
* Queries DNS "tools.google.com".

Process/window/string information:

* Gets computer name.
* Checks for debuggers.
* Removes Zone.Identifier information.
* Creates an event named "Global\CorDBIPCSetupSyncEvent_2516".
* Enables privilege SeDebugPrivilege.
* Creates an event named "Metallica".
* Creates process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe", null".
* Injects code into process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3740".
* Creates an event named "1f128a07-8438-4dc0-8205-570da0ccce8d1.0Event".
* Creates an event named "1f128a07-8438-4dc0-8205-570da0ccce8d1.0Event2".
* Creates a mutex "Global\.net clr networking".
* Enables process privileges.
* Sleeps 19 seconds.

Additional Information:

How To Remove SKMBT_C22416041913450.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where SKMBT_C22416041913450.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top