Mal/Agent-AKF

Category:	Viruses and Spyware	Protection available since:	25 Nov 2012 04:21:05 (GMT)
Type:	Malicious behavior	Last Updated:	12 Dec 2012 16:56:35 (GMT)
Prevalence:

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Mal/Agent-AKF include:

Example 1

File Information

Size: 61K
SHA-1: 19df306847e635d88f3bdb23ff92d60f91f46346
MD5: 5c2b9b2c90d8061270a5cda3febcbf7d
CRC-32: 6dc3aa18
File type: Windows executable
First seen: 2012-11-24

Runtime Analysis

Registry Keys Created

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
sv□h□st
%SystemDrive%\test_item.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
SaveZoneInformation
0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012012112720121128
CacheRepair
0x00000000

Registry Keys Modified

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
CleanShutdown
0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
LowRiskFileTypes
.exe;

HTTP Requests

http://support33710.homelinux.com/7678623400121/lending/tds.php

DNS Requests

google.com
support33710.homelinux.com

Example 2

File Information

Size: 122K
SHA-1: 3363ab0329cf822a123915298588c4851f6a2115
MD5: 102340729ced570808df1f965b20fae6
CRC-32: da973e8a
File type: Windows executable
First seen: 2012-11-24

Runtime Analysis

Dropped Files

c:\Documents and Settings\test user\Desktop\pluginsdat.log
Size
10
SHA-1
2500acf4a7bf89c336b5a7f659d9eadc78627063
MD5
a0a1c28d2356f330f5116b4ffd1ee701
CRC-32
397c0c76
File type
Configuration Data File (generic)
First seen
2012-11-25
c:\Documents and Settings\test user\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1202660629-1454471165-1275210071-1003\be3d031fba79eb6a09bd524613e46c79_26c19984-2a01-45b5-a7b3-a568af60c200
Size
1.3K
SHA-1
e5f8d744d5e5fb74cd2c997eeb0d7889d07d45d6
MD5
7dd11d3cd6f49762a8ae02bd612b1109
CRC-32
a822c535
File type
Unspecified binary - probably data
First seen
2012-11-25
c:\Documents and Settings\test user\Application Data\Microsoft\SystemCertificates\My\Certificates\E9D9BF7593D542D2E6645CC1E87AC917953361D6
Size
751
SHA-1
c64d7fe20d30a3224c8c9123f7d8f83d6c40ffcb
MD5
c7e6573ad1ab14b5ca307400e13be51c
CRC-32
c1593d26
File type
Unspecified binary - probably data
First seen
2012-11-25
c:\Documents and Settings\test user\Application Data\Microsoft\Protect\S-1-5-21-1202660629-1454471165-1275210071-1003\48d862f6-9a55-47d8-9c87-800b2e551fc9
Size
388
SHA-1
9d35610fbe03247961658ee579b088307c4b6aab
MD5
49d2cc5f1d6896819108a38dab4af7c9
CRC-32
d99b9f6b
File type
Unspecified binary - probably data
First seen
2012-11-25

Modified Files

%PROFILE%\Application Data\Microsoft\Protect\S-1-5-21-1202660629-1454471165-1275210071-1003\Preferred

Registry Keys Created

HKCU\Software\Google\Update\network\secure\QZmrchL
000
0x00000006
HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\E9D9BF7593D542D2E6645CC1E87AC917953361D6
Blob
□□□□□□□□□□□□@□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□@□□ □□□□□P□□ □□`□□□□□@□□p□□0□□□□□□□□@□□p□□□□□ □□□□□□□□`□□□□□□□□□□□0□□0□□□□□□□□□□□P□□@□□□□□0□□`□□ □□□□□□□□□□□□□□□□□□□□□□□0□□ □□□□□0□□□□□`□□@□□□□□ □□□□□0□□P□□□□□0□□ □□□□□□□□@□□□□□p□□ □□□□□□□□□□□□□□0□□□□□□□□ □□□□□`□□□□□@□□P□□ □□□□□`□□□□□□□□□□□□□□□□□0□□□□□□□□□□□@□□□□□□□□□u□0□□ □□`d□□□□□z□□□□P3□□□□□□□□□□□□□□□□0□□□□□□□□□□□□□□□\□□□□ □□ □□□]□`M□□!□□□□□N□P□□p□□@□□□0□□□□P+□□□□ □□P□□□□□□□□□□□`□□P□□0□□ps□Pp□□o□ t□□ □p□□□2□□1□ 5□□1□@2□P4□□□□□2□□1□ 1□□0□□0□□4□ 5□@Z□□□□□□□□□□`□□P□□0□□ps□Pp□□o□ t□□□□□0□□□□□*□`H□`□□□□□□□□P□□0□□□□□□□□□□□□□□□□□□H□□□□□[□`□□p□□0□□□□□□□□ □□ □□□□□□?□□□□□M□P□□pq□□□□`□□□□□`□□□\□`□□PC□P□□`□□□□□□□□p□□□□□□□□□,□p□□□=□□□□PM□□□□□□□PQ□□a□□□□□□□□□□□□□□(□□H□@□□p□□Pk□□□□□□□□,□□□□□□□□□□□□□PB□□v□ [... 166 intervening characters ...] ;□@|□ □□p□□□□□□□□□□□@□□p□□□□□□l□□□□□□□ □□ ]□□□□@□□□□□□Q□□q□□□□@□□@□□□□□□□□□N□□□□□□□P□□□□□□□□□□□ W□□<□0*□□□□□□□□F□□□□□□□`□□□□□`□□□□□@T□□□□@□□□8□@□□□□□□□□@□□□□□□□□P□□□□□□&□□□□□]□□8□□□□□□□p*□□d□P
HKCU\Software\Google\Update\network\secure\T1B
000
0x00000006
HKCU\Software\Google\Update\network\secure
2
ti□□n□□□□□□□pe□@L□□s□@A□0t□□v□PP□□p□Pp□□□□pe□@A□0t□□v□PW□□n□@o□p□□□e□0s□□g□PB□□x□□□□PS□PR□02□□D□□L□□□□□□□□□□□□□0□□P□□p□□□□□□□□□□□□□□□□□0□□P□□p□□□□□□□□□□□□ □□"□0$□P&□p(□□*□□,□□.□□0□□2□04□P6□p8□□:□□<□□>□□@□□B□0D□PF□pH□□J□□L□□N□□P□□R□0T□PV□pX□□Z□□\□□^□□`□□b□0d□Pf□ph□□j□□l□□n□□p□□r□0t□Pv□px□□z□□|□□~□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□ [... 16512 intervening characters ...] □□□□□□□□□□□□□□□@□□`□□□□□ □□□□□P□□@□□□□□0□□`□□@□□□□□p□□@□□0□□□□□`□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□
HKCU\Software\WinRAR
HWID
{5□□8□□3□□7□P-□`6□06□□4□09□0-□□8□ 4□□C□@A□□5□□4□□B□09□0}□
HKCU\Software\Adobe\Adobe Acrobat
lde
ohHjEARL+TJrsHfxhA
HKCU\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys
CertificateHash
□□□□u□0□□ □□`d□□□□□z□□□□P3□□□□
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
zVpJpuumNB
c:\Documents and Settings\test user\Local Settings\Application Data\Microsoft\Windows\xoasklv.exe
HKCU\Software\Google\Update\network\secure\QdD
000
0x00000003
HKCU\Software\Google\Update
updateid
[1]96:10061

Processes Created

c:\Documents and Settings\test user\local settings\application data\microsoft\windows\xoasklv.exe
c:\windows\system32\svchost.exe

HTTP Requests

http://184.82.173.113/
http://184.82.173.113/Wh83Wwg6VwEWfx54RCAhDmlRYxJwdxNAJTJPRXkGV2sbbFIiQEM1L1YPfWMYcGpaIkozQTN+E1dgO0BTPhcYZ1YvQDUDTT5mTUgvMFVkKkE1SSlRPn0YFiE9SFk7FxdnVyIUYRgTd2JEAHh/X3h6WmY=
http://184.82.173.113/m/ps.zip
http://184.82.173.113/m/s5.zip
http://184.82.173.113/m/sdata.zip

IP Connections

184.82.173.113:80
184.82.173.113:8080

DNS Requests

www.standardslightboxs.com

Example 3

File Information

Size: 87K
SHA-1: 3fae0db68ddb258d7f8d5a4d2fb462086a32fe00
MD5: 3897c43ec5be2441fc9dcaa4aa21dd6f
CRC-32: bf87a3c8
File type: Windows executable
First seen: 2012-11-24

Runtime Analysis

Registry Keys Created

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
(Default)
c:\test_item.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012012112420121125
CacheRepair
0x00000000

Registry Keys Modified

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
CleanShutdown
0x00000001

HTTP Requests

http://hmhimnknhp.steelcoin.info/get.php

IP Connections

209.85.229.104:80

DNS Requests

hmhimnknhp.steelcoin.info

Try Sophos products for free
Download now

Security Goals

INDUSTRIES & SECTORS

COMPANY SIZE

PRODUCT FEATURES

CASE STUDIES

Company Overview

Our People

INNOVATIVE TECHNOLOGY

ALERT SERVICES

Product Features

Product Families

Complete Security

PRODUCTS BY NAME

Free Tools

Next Steps

RESOURCES

FIND AN ANSWER

Support by Product

Maintain your Product

Hire an Expert

WHAT'S POPULAR

THREAT ANALYSIS

THREAT STATISTICS

WHAT'S POPULAR

Threat Definitions

THREAT MONITORING

SECURITY HUBS

LIBRARY

Whats Popular

WHAT'S NEW

Community

IT SECURITY TRAINING

ANATOMY OF AN ATTACK

RESELLER PARTNERS

Managed Service Providers

SYSTEM INTEGRATORS

OEM and Technology

WHAT'S POPULAR

Mal/Agent-AKF

Example 1

File Information

Runtime Analysis

Registry Keys Created

Registry Keys Modified

HTTP Requests

DNS Requests

Example 2

File Information

Runtime Analysis

Dropped Files

Modified Files

Registry Keys Created

Processes Created

HTTP Requests

IP Connections

DNS Requests

Example 3

File Information

Runtime Analysis

Registry Keys Created

Registry Keys Modified

HTTP Requests

IP Connections

DNS Requests

Free Mac Anti-Virus

Popular topics