Mal/Agent-AKF

Category: Viruses and Spyware Protection available since:25 Nov 2012 04:21:05 (GMT)
Type: Malicious behavior Last Updated:12 Dec 2012 16:56:35 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Mal/Agent-AKF include:

Example 1

File Information

Size
61K
SHA-1
19df306847e635d88f3bdb23ff92d60f91f46346
MD5
5c2b9b2c90d8061270a5cda3febcbf7d
CRC-32
6dc3aa18
File type
Windows executable
First seen
2012-11-24

Runtime Analysis

Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    sv□h□st
    %SystemDrive%\test_item.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
    SaveZoneInformation
    0x00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012012112720121128
    CacheRepair
    0x00000000
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
    CleanShutdown
    0x00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
    LowRiskFileTypes
    .exe;
HTTP Requests
  • http://support33710.homelinux.com/7678623400121/lending/tds.php
DNS Requests
  • google.com
  • support33710.homelinux.com

Example 2

File Information

Size
122K
SHA-1
3363ab0329cf822a123915298588c4851f6a2115
MD5
102340729ced570808df1f965b20fae6
CRC-32
da973e8a
File type
Windows executable
First seen
2012-11-24

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Desktop\pluginsdat.log
    Size
    10
    SHA-1
    2500acf4a7bf89c336b5a7f659d9eadc78627063
    MD5
    a0a1c28d2356f330f5116b4ffd1ee701
    CRC-32
    397c0c76
    File type
    Configuration Data File (generic)
    First seen
    2012-11-25
  • c:\Documents and Settings\test user\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1202660629-1454471165-1275210071-1003\be3d031fba79eb6a09bd524613e46c79_26c19984-2a01-45b5-a7b3-a568af60c200
    Size
    1.3K
    SHA-1
    e5f8d744d5e5fb74cd2c997eeb0d7889d07d45d6
    MD5
    7dd11d3cd6f49762a8ae02bd612b1109
    CRC-32
    a822c535
    File type
    Unspecified binary - probably data
    First seen
    2012-11-25
  • c:\Documents and Settings\test user\Application Data\Microsoft\SystemCertificates\My\Certificates\E9D9BF7593D542D2E6645CC1E87AC917953361D6
    Size
    751
    SHA-1
    c64d7fe20d30a3224c8c9123f7d8f83d6c40ffcb
    MD5
    c7e6573ad1ab14b5ca307400e13be51c
    CRC-32
    c1593d26
    File type
    Unspecified binary - probably data
    First seen
    2012-11-25
  • c:\Documents and Settings\test user\Application Data\Microsoft\Protect\S-1-5-21-1202660629-1454471165-1275210071-1003\48d862f6-9a55-47d8-9c87-800b2e551fc9
    Size
    388
    SHA-1
    9d35610fbe03247961658ee579b088307c4b6aab
    MD5
    49d2cc5f1d6896819108a38dab4af7c9
    CRC-32
    d99b9f6b
    File type
    Unspecified binary - probably data
    First seen
    2012-11-25
Modified Files
  • %PROFILE%\Application Data\Microsoft\Protect\S-1-5-21-1202660629-1454471165-1275210071-1003\Preferred
Registry Keys Created
  • HKCU\Software\Google\Update\network\secure\QZmrchL
    000
    0x00000006
  • HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\E9D9BF7593D542D2E6645CC1E87AC917953361D6
    Blob
    □□□□□□□□□□□□@□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□@□□ □□□□□P□□ □□`□□□□□@□□p□□0□□□□□□□□@□□p□□□□□ □□□□□□□□`□□□□□□□□□□□0□□0□□□□□□□□□□□P□□@□□□□□0□□`□□ □□□□□□□□□□□□□□□□□□□□□□□0□□ □□□□□0□□□□□`□□@□□□□□ □□□□□0□□P□□□□□0□□ □□□□□□□□@□□□□□p□□ □□□□□□□□□□□□□□0□□□□□□□□ □□□□□`□□□□□@□□P□□ □□□□□`□□□□□□□□□□□□□□□□□0□□□□□□□□□□□@□□□□□□□□□u□0□□ □□`d□□□□□z□□□□P3□□□□□□□□□□□□□□□□0□□□□□□□□□□□□□□□\□□□□ □□ □□□]□`M□□!□□□□□N□P□□p□□@□□□0□□□□P+□□□□ □□P□□□□□□□□□□□`□□P□□0□□ps□Pp□□o□ t□□ □p□□□2□□1□ 5□□1□@2□P4□□□□□2□□1□ 1□□0□□0□□4□ 5□@Z□□□□□□□□□□`□□P□□0□□ps□Pp□□o□ t□□□□□0□□□□□*□`H□`□□□□□□□□P□□0□□□□□□□□□□□□□□□□□□H□□□□□[□`□□p□□0□□□□□□□□ □□ □□□□□□?□□□□□M□P□□pq□□□□`□□□□□`□□□\□`□□PC□P□□`□□□□□□□□p□□□□□□□□□,□p□□□=□□□□PM□□□□□□□PQ□□a□□□□□□□□□□□□□□(□□H□@□□p□□Pk□□□□□□□□,□□□□□□□□□□□□□PB□□v□ [... 166 intervening characters ...] ;□@|□ □□p□□□□□□□□□□□@□□p□□□□□□l□□□□□□□ □□ ]□□□□@□□□□□□Q□□q□□□□@□□@□□□□□□□□□N□□□□□□□P□□□□□□□□□□□ W□□<□0*□□□□□□□□F□□□□□□□`□□□□□`□□□□□@T□□□□@□□□8□@□□□□□□□□@□□□□□□□□P□□□□□□&□□□□□]□□8□□□□□□□p*□□d□P
  • HKCU\Software\Google\Update\network\secure\T1B
    000
    0x00000006
  • HKCU\Software\Google\Update\network\secure
    2
    ti□□n□□□□□□□pe□@L□□s□@A□0t□□v□PP□□p□Pp□□□□pe□@A□0t□□v□PW□□n□@o□p□□□e□0s□□g□PB□□x□□□□PS□PR□02□□D□□L□□□□□□□□□□□□□0□□P□□p□□□□□□□□□□□□□□□□□0□□P□□p□□□□□□□□□□□□ □□"□0$□P&□p(□□*□□,□□.□□0□□2□04□P6□p8□□:□□<□□>□□@□□B□0D□PF□pH□□J□□L□□N□□P□□R□0T□PV□pX□□Z□□\□□^□□`□□b□0d□Pf□ph□□j□□l□□n□□p□□r□0t□Pv□px□□z□□|□□~□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□ [... 16512 intervening characters ...] □□□□□□□□□□□□□□□@□□`□□□□□ □□□□□P□□@□□□□□0□□`□□@□□□□□p□□@□□0□□□□□`□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□
  • HKCU\Software\WinRAR
    HWID
    {5□□8□□3□□7□P-□`6□06□□4□09□0-□□8□ 4□□C□@A□□5□□4□□B□09□0}□
  • HKCU\Software\Adobe\Adobe Acrobat
    lde
    ohHjEARL+TJrsHfxhA
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys
    CertificateHash
    □□□□u□0□□ □□`d□□□□□z□□□□P3□□□□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    zVpJpuumNB
    c:\Documents and Settings\test user\Local Settings\Application Data\Microsoft\Windows\xoasklv.exe
  • HKCU\Software\Google\Update\network\secure\QdD
    000
    0x00000003
  • HKCU\Software\Google\Update
    updateid
    [1]96:10061
Processes Created
  • c:\Documents and Settings\test user\local settings\application data\microsoft\windows\xoasklv.exe
  • c:\windows\system32\svchost.exe
HTTP Requests
  • http://184.82.173.113/
  • http://184.82.173.113/Wh83Wwg6VwEWfx54RCAhDmlRYxJwdxNAJTJPRXkGV2sbbFIiQEM1L1YPfWMYcGpaIkozQTN+E1dgO0BTPhcYZ1YvQDUDTT5mTUgvMFVkKkE1SSlRPn0YFiE9SFk7FxdnVyIUYRgTd2JEAHh/X3h6WmY=
  • http://184.82.173.113/m/ps.zip
  • http://184.82.173.113/m/s5.zip
  • http://184.82.173.113/m/sdata.zip
IP Connections
  • 184.82.173.113:80
  • 184.82.173.113:8080
DNS Requests
  • www.standardslightboxs.com

Example 3

File Information

Size
87K
SHA-1
3fae0db68ddb258d7f8d5a4d2fb462086a32fe00
MD5
3897c43ec5be2441fc9dcaa4aa21dd6f
CRC-32
bf87a3c8
File type
Windows executable
First seen
2012-11-24

Runtime Analysis

Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    (Default)
    c:\test_item.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012012112420121125
    CacheRepair
    0x00000000
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
    CleanShutdown
    0x00000001
HTTP Requests
  • http://hmhimnknhp.steelcoin.info/get.php
IP Connections
  • 209.85.229.104:80
DNS Requests
  • hmhimnknhp.steelcoin.info

download Try Sophos products for free
Download now