Home » Virus List
Trojan.Agent
Risk Level 1
 
File Size : 312863 KB
File Type : Portable Executable 32 .NET Assembly
File Name

WinRAR.exe

MD5

47594b5281c0012bb7fd5d885ecfccc0

SHA1

97435c136c0146c10fb2dd6257bba62fdef76d6e

SHA256

f6844fd4ab29ce79270600eecf4e25da5c5e056d2b3cfdb1dd

General information:

* File name: C:\Users\cognus\Downloads\f6844fd4ab29ce79270600eecf4e25da5c5e056d2b3cfdb1ddc94a0c49478bf3.exe

Changes to registry :

* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "2148c16739c214a3a04b7657f8f9c965="C:\Users\cognus\AppData\Local\Temp\nvsvc.exe" .." in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
binary data=220043003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C006E0076007300760063002E00650078006500220020002E002E000000
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Creates value "SEE_MASK_NOZONECHECKS=31000000" in key HKEY_CURRENT_USER\Environment
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b474db1c-161b-11e6-932e-806e6f6e6963}
old value empty
* Creates value "2148c16739c214a3a04b7657f8f9c965="C:\Users\cognus\AppData\Local\Temp\nvsvc.exe" .." in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
binary data=220043003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C006E0076007300760063002E00650078006500220020002E002E000000
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates Registry key HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\NetTrace\Session
* Creates value "dhcpqec.dll,-100=DHCP Quarantine Enforcement Client" in key HKEY_CURRENT_USER\software\classes\Local Settings\MuiCache\109\52C64B7E\@%SystemRoot%\system32
binary data=44004800430050002000510075006100720061006E00740069006E006500200045006E0066006F007200630065006D0065006E007400200043006C00690065006E0074000000
* Creates value "dhcpqec.dll,-101=Provides DHCP based enforcement for NAP" in key HKEY_CURRENT_USER\software\classes\Local Settings\MuiCache\109\52C64B7E\@%SystemRoot%\system32
binary data=500072006F007600690064006500730020004400480043005000200062006100730065006400200065006E0066006F007200630065006D0065006E007400200066006F00720020004E00410050000000
* Creates value "dhcpqec.dll,-103=1.0" in key HKEY_CURRENT_USER\software\classes\Local Settings\MuiCache\109\52C64B7E\@%SystemRoot%\system32
binary data=31002E0030000000
* Creates value "dhcpqec.dll,-102=Microsoft Corporation" in key HKEY_CURRENT_USER\software\classes\Local Settings\MuiCache\109\52C64B7E\@%SystemRoot%\system32
binary data=4D006900630072006F0073006F0066007400200043006F00720070006F0072006100740069006F006E000000
* Creates value "napipsec.dll,-1=490050007300650063002000520065006C00790069006E0067002000500061007200740079000000" in key HKEY_CURRENT_USER\software\classes\Local Settings\MuiCache\109\52C64B7E\@%SystemRoot%\system32
* Creates value "napipsec.dll,-2=Provides IPsec based enforcement for Network Access Protection" in key HKEY_CURRENT_USER\software\classes\Local Settings\MuiCache\109\52C64B7E\@%SystemRoot%\system32
binary data=500072006F0076006900640065007300200049005000730065006300200062006100730065006400200065006E0066006F007200630065006D0065006E007400200066006F00720020004E006500740077006F0072006B0020004100630063006500730073002000500072006F00740065006300740069006F006E000000
* Creates value "napipsec.dll,-4=1.0" in key HKEY_CURRENT_USER\software\classes\Local Settings\MuiCache\109\52C64B7E\@%SystemRoot%\system32
binary data=31002E0030000000
* Creates value "napipsec.dll,-3=Microsoft Corporation" in key HKEY_CURRENT_USER\software\classes\Local Settings\MuiCache\109\52C64B7E\@%SystemRoot%\system32
binary data=4D006900630072006F0073006F0066007400200043006F00720070006F0072006100740069006F006E000000
* Creates value "tsgqec.dll,-100=RD Gateway Quarantine Enforcement Client" in key HKEY_CURRENT_USER\software\classes\Local Settings\MuiCache\109\52C64B7E\@%SystemRoot%\system32
binary data=52004400200047006100740065007700610079002000510075006100720061006E00740069006E006500200045006E0066006F007200630065006D0065006E007400200043006C00690065006E0074000000
* Creates value "tsgqec.dll,-101=Provides RD Gateway enforcement for NAP" in key HKEY_CURRENT_USER\software\classes\Local Settings\MuiCache\109\52C64B7E\@%SystemRoot%\system32
binary data=500072006F007600690064006500730020005200440020004700610074006500770061007900200065006E0066006F007200630065006D0065006E007400200066006F00720020004E00410050000000
* Creates value "tsgqec.dll,-102=1.0" in key HKEY_CURRENT_USER\software\classes\Local Settings\MuiCache\109\52C64B7E\@%SystemRoot%\system32
binary data=31002E0030000000
* Creates value "tsgqec.dll,-103=Microsoft Corporation" in key HKEY_CURRENT_USER\software\classes\Local Settings\MuiCache\109\52C64B7E\@%SystemRoot%\system32
binary data=4D006900630072006F0073006F0066007400200043006F00720070006F0072006100740069006F006E000000
* Creates value "eapqec.dll,-100=EAP Quarantine Enforcement Client" in key HKEY_CURRENT_USER\software\classes\Local Settings\MuiCache\109\52C64B7E\@%SystemRoot%\system32
binary data=4500410050002000510075006100720061006E00740069006E006500200045006E0066006F007200630065006D0065006E007400200043006C00690065006E0074000000
* Creates value "eapqec.dll,-101=Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." in key HKEY_CURRENT_USER\software\classes\Local Settings\MuiCache\109\52C64B7E\@%SystemRoot%\system32
binary data=500072006F007600690064006500730020004E006500740077006F0072006B0020004100630063006500730073002000500072006F00740065006300740069006F006E00200065006E0066006F007200630065006D0065006E007400200066006F00720020004500410050002000610075007400680065006E00740069006300610074006500640020006E006500740077006F0072006B00200063006F006E006E0065006300740069006F006E0073002C00200073007500630068002000610073002000740068006F0073006500200075007300650064002000770069007400680020003800300032002E0031005800200061006E0064002000560050004E00200074006500630068006E006F006C006F0067006900650073002E000000
* Creates value "eapqec.dll,-102=1.0" in key HKEY_CURRENT_USER\software\classes\Local Settings\MuiCache\109\52C64B7E\@%SystemRoot%\system32
binary data=31002E0030000000
* Creates value "eapqec.dll,-103=Microsoft Corporation" in key HKEY_CURRENT_USER\software\classes\Local Settings\MuiCache\109\52C64B7E\@%SystemRoot%\system32
binary data=4D006900630072006F0073006F0066007400200043006F00720070006F0072006100740069006F006E000000
* Creates value "LangID=0904" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000
* Creates value "f6844fd4ab29ce79270600eecf4e25da5c5e056d2b3cfdb1ddc94a0c49478bf3.exe=WinRAR archiver" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\cognus\Downloads
binary data=570069006E005200410052002000610072006300680069007600650072000000
* Creates value "nvsvc.exe=nvsvc.exe" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Sandbox\cognus\DefaultBox\user\current\AppData\Local\Temp
binary data=6E0076007300760063002E006500780065000000
* Creates value "netsh.exe=Network Command Shell" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32
binary data=4E006500740077006F0072006B00200043006F006D006D0061006E00640020005300680065006C006C000000

Changes to filesystem:

* Modifies file C:\Users\cognus\AppData\Local\GDIPFONTCACHEV1.DAT
* Creates file C:\Users\cognus\AppData\Local\Temp\Encryptado.exe
* Creates file C:\Users\cognus\AppData\Local\Temp\nvsvc.exe
* Creates file C:\Users\cognus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2148c16739c214a3a04b7657f8f9c965.exe

Network services:

* Queries DNS "au.download.windowsupdate.com".
* Queries DNS "poodecrew.ddns.net".
* Queries DNS "teredo.ipv6.microsoft.com".

Process/window/string information:

* Keylogger functionality.
* Escalates a process to system critical status.
* Gets system default language ID.
* Gets computer name.
* Checks for debuggers.
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3224".
* Creates process "C:\Users\cognus\AppData\Local\Temp\Encryptado.exe, "C:\Users\cognus\AppData\Local\Temp\Encryptado.exe" , C:\Users\cognus\Downloads".
* Injects code into process "C:\Sandbox\cognus\DefaultBox\user\current\AppData\Local\Temp\Encryptado.exe".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3632".
* Creates a mutex "2148c16739c214a3a04b7657f8f9c965".
* Creates process "C:\Users\cognus\AppData\Local\Temp\nvsvc.exe, "C:\Users\cognus\AppData\Local\Temp\nvsvc.exe" , C:\Users\cognus\Downloads".
* Injects code into process "C:\Sandbox\cognus\DefaultBox\user\current\AppData\Local\Temp\nvsvc.exe".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_3752".
* Creates process "null, netsh firewall add allowedprogram "C:\Users\cognus\AppData\Local\Temp\nvsvc.exe" "nvsvc.exe" ENABLE, null".
* Injects code into process "C:\Windows\System32\netsh.exe".
* Enables privilege SeDebugPrivilege.
* Creates a mutex "Global\.net clr networking".
* Creates a mutex "Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7".
* Opens a service named "policyagent".
* Opens a service named "NapAgent".
* Enumerates running processes.
* Enables process privileges.
* Sleeps 796 seconds.

Additional Information:

How To Remove WinRAR.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where WinRAR.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top