Home » Virus List
Trojan.Agent
Risk Level 1
 
File Size : 155648 KB
File Type : Portable Executable 32
File Name

virussign.com_84824ee155a434ae33c3f88713776370.vir

MD5

84824ee155a434ae33c3f88713776370

SHA1

6e00cf273e4decdf8df549ba1f189857e24416a9

SHA256

9f102fe4f3c6278da65a54b083e9abcdb8888bc889af4a8c71

General information:

* File name: C:\Users\cognus\Desktop\Analyzed Viruses\8 June 2016\New folder\Sample\84824ee155a434ae33c3f88713776370.exe

Changes to registry :

* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Creates value "Type=00000010" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\local Security Authority process
* Creates value "Start=00000002" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\local Security Authority process
* Creates value "ErrorControl=00000001" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\local Security Authority process
* Creates value "DisplayName=Windows " in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\local Security Authority process
binary data=570069006E0064006F00770073002000B700FE00CE00F100D600F700BD00F800B300CC000000
* Creates value "ImagePath=C:\Windows\temp\svchost.exe" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\local Security Authority process
binary data=43003A005C00570069006E0064006F00770073005C00740065006D0070005C0073007600630068006F00730074002E006500780065000000
* Creates Registry key HKEY_USERS\.DEFAULT\Sale
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d04f3b-1c7e-11e6-979c-806e6f6e6963}
old value empty
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000
* Creates value "cmd.exe=Windows Command Processor" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\system32
binary data=570069006E0064006F0077007300200043006F006D006D0061006E0064002000500072006F0063006500730073006F0072000000

Changes to filesystem:

* Creates file C:\Windows\temp\svchost.exe
* Creates file (empty) C:\Windows\temp\~DFREG0.tmp
* Modifies file (empty) C:\Users\cognus\Desktop\Analyzed Viruses\8 June 2016\New folder\Sample\84824ee155a434ae33c3f88713776370.exe

Network services:

* Queries DNS "j.smrhk.com".
* Queries DNS "www.gstatic.com".
* Queries DNS "wpad.localdomain".
* Queries DNS "clients2.google.com".
* Queries DNS "dns.msftncsi.com".

Process/window/string information:

* Escalates a process to system critical status.
* Gets user name information.
* Gets volume information.
* Checks for debuggers.
* Creates process "null, "C:\Windows\temp\svchost.exe" -install, null".
* Injects code into process "C:\Sandbox\cognus\DefaultBox\drive\C\Windows\temp\svchost.exe".
* Creates a service named "local Security Authority process".
* Starts a service.
* Creates process "null, "C:\Users\cognus\AppData\Local\Temp\~0.bat" , C:\Users\cognus\Desktop\Analyzed Viruses\8 June 2016\New folder\Sample".
* Injects code into process "C:\Windows\System32\cmd.exe".
* Enables privilege SeBackupPrivilege.
* Enables privilege SeRestorePrivilege.
* Enables process privileges.
* Sleeps 592 seconds.

Additional Information:

How To Remove virussign.com_84824ee155a434ae33c3f88713776370.vir

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where virussign.com_84824ee155a434ae33c3f88713776370.vir located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top