Troj/Agent-AAHQ

Category: Viruses and Spyware Protection available since:24 Feb 2013 02:25:30 (GMT)
Type: Trojan Last Updated:24 Feb 2013 22:33:01 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Agent-AAHQ include:

Example 1

File Information

Size
234K
SHA-1
58ada5583687feb6a9c590904663417aed93c446
MD5
81dc1827f170ba19a05e0350809e0735
CRC-32
e2f99ed4
File type
Windows executable
First seen
2013-02-24

Other vendor detection

Kaspersky
HEUR:Trojan.Win32.Generic

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Application Data\xottnklhwbcohns\urgldxzlgg.exe
  • c:\Documents and Settings\test user\Local Settings\Application Data\xottnklhwbcohns\vrsjlgexg.exe
Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Application Data\xottnklhwbcohns\urgldxzlgg.nbgi7
    Size
    4
    SHA-1
    9181d83aa0db1838b0953c2501211f3dda1f6ad5
    MD5
    25ed8448f5055c4584a25a04c9851ac4
    CRC-32
    e1bfe176
    File type
    A binary file with a very small filesize (too small to be malicious)
    First seen
    2011-09-22
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Program Superfetch Publication Device
    c:\Documents and Settings\test user\Local Settings\Application Data\xottnklhwbcohns\urgldxzlgg.exe
Processes Created
  • c:\Documents and Settings\test user\local settings\application data\xottnklhwbcohns\urgldxzlgg.exe
  • c:\Documents and Settings\test user\local settings\application data\xottnklhwbcohns\vrsjlgexg.exe
HTTP Requests
  • http://destroybright.net/forum/search.php
  • http://destroyexplain.net/forum/search.php
  • http://destroyinside.net/forum/search.php
  • http://destroyinstead.net/forum/search.php
  • http://husbandbright.net/forum/search.php
  • http://husbandexplain.net/forum/search.php
  • http://husbandinside.net/forum/search.php
  • http://journeybright.net/forum/search.php
  • http://journeyexplain.net/forum/search.php
  • http://journeyinside.net/forum/search.php
  • http://littlebright.net/forum/search.php
  • http://littleexplain.net/forum/search.php
  • http://littleinside.net/forum/search.php
  • http://littleinstead.net/forum/search.php
  • http://riddeninstead.net/forum/search.php
DNS Requests
  • destroybright.net
  • destroyexplain.net
  • destroyinside.net
  • destroyinstead.net
  • husbandbright.net
  • husbandexplain.net
  • husbandinside.net
  • journeybright.net
  • journeyexplain.net
  • journeyinside.net
  • littlebright.net
  • littleexplain.net
  • littleinside.net
  • littleinstead.net
  • riddeninstead.net

Example 2

File Information

Size
233K
SHA-1
83e03d568dc66844e8baf9b31815ccb953937ca3
MD5
8b02ff75b2064f2a9df1184554343acd
CRC-32
6f2cda9c
File type
Windows executable
First seen
2013-02-23

Other vendor detection

Kaspersky
HEUR:Trojan.Win32.Generic

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Application Data\qpydthatpg\wfjedcnb.exe
  • c:\Documents and Settings\test user\Local Settings\Application Data\qpydthatpg\xiyvxzvqrjd.exe
Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Application Data\qpydthatpg\wfjedcnb.tseot
    Size
    4
    SHA-1
    9181d83aa0db1838b0953c2501211f3dda1f6ad5
    MD5
    25ed8448f5055c4584a25a04c9851ac4
    CRC-32
    e1bfe176
    File type
    A binary file with a very small filesize (too small to be malicious)
    First seen
    2011-09-22
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Ordering Offline UPnP Filtering
    c:\Documents and Settings\test user\Local Settings\Application Data\qpydthatpg\wfjedcnb.exe
Processes Created
  • c:\Documents and Settings\test user\local settings\application data\qpydthatpg\wfjedcnb.exe
  • c:\Documents and Settings\test user\local settings\application data\qpydthatpg\xiyvxzvqrjd.exe
HTTP Requests
  • http://destroybright.net/forum/search.php
  • http://destroyexplain.net/forum/search.php
  • http://destroyinside.net/forum/search.php
  • http://destroyinstead.net/forum/search.php
  • http://effortanother.net/forum/search.php
  • http://effortappear.net/forum/search.php
  • http://effortbusiness.net/forum/search.php
  • http://effortmanner.net/forum/search.php
  • http://forgetanother.net/forum/search.php
  • http://forgetappear.net/forum/search.php
  • http://forgetbusiness.net/forum/search.php
  • http://forgetmanner.net/forum/search.php
  • http://husbandbright.net/forum/search.php
  • http://husbandexplain.net/forum/search.php
  • http://husbandinside.net/forum/search.php
  • http://husbandinstead.net/forum/search.php
  • http://increaseanother.net/forum/search.php
  • http://increaseappear.net/forum/search.php
  • http://increasebusiness.net/forum/search.php
  • http://increasemanner.net/forum/search.php
  • http://journeybright.net/forum/search.php
  • http://journeyexplain.net/forum/search.php
  • http://journeyinside.net/forum/search.php
  • http://journeyinstead.net/forum/search.php
  • http://littlebright.net/forum/search.php
  • http://littleexplain.net/forum/search.php
  • http://littleinside.net/forum/search.php
  • http://littleinstead.net/forum/search.php
  • http://rememberanother.net/forum/search.php
  • http://rememberappear.net/forum/search.php
  • http://rememberbusiness.net/forum/search.php
  • http://remembermanner.net/forum/search.php
  • http://riddeninstead.net/forum/search.php
  • http://sufferappear.net/forum/search.php
  • http://sufferbusiness.net/forum/search.php
  • http://throughanother.net/forum/search.php
  • http://throughappear.net/forum/search.php
  • http://throughbusiness.net/forum/search.php
  • http://throughmanner.net/forum/search.php
  • http://withinappear.net/forum/search.php
  • http://wouldanother.net/forum/search.php
  • http://wouldappear.net/forum/search.php
  • http://wouldbusiness.net/forum/search.php
  • http://wouldmanner.net/forum/search.php
DNS Requests
  • destroybright.net
  • destroyexplain.net
  • destroyinside.net
  • destroyinstead.net
  • effortanother.net
  • effortappear.net
  • effortbusiness.net
  • effortmanner.net
  • forgetanother.net
  • forgetappear.net
  • forgetbusiness.net
  • forgetmanner.net
  • husbandbright.net
  • husbandexplain.net
  • husbandinside.net
  • husbandinstead.net
  • increaseanother.net
  • increaseappear.net
  • increasebusiness.net
  • increasemanner.net
  • journeybright.net
  • journeyexplain.net
  • journeyinside.net
  • journeyinstead.net
  • littlebright.net
  • littleexplain.net
  • littleinside.net
  • littleinstead.net
  • rememberanother.net
  • rememberappear.net
  • rememberbusiness.net
  • remembermanner.net
  • riddeninstead.net
  • sufferappear.net
  • sufferbusiness.net
  • throughanother.net
  • throughappear.net
  • throughbusiness.net
  • throughmanner.net
  • withinappear.net
  • wouldanother.net
  • wouldappear.net
  • wouldbusiness.net
  • wouldmanner.net

Example 3

File Information

Size
233K
SHA-1
a03ace1be5716507e79dd3c84f84c30f93f00582
MD5
9bec9612b68bca6ca78b93eb024d155e
CRC-32
f1e473ac
File type
Windows executable
First seen
2013-02-24

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Application Data\mqznoee\timzsfqmt.exe
  • c:\Documents and Settings\test user\Local Settings\Application Data\mqznoee\tsqrsemk.exe
Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Application Data\mqznoee\tsqrsemk.xqlmx
    Size
    4
    SHA-1
    9181d83aa0db1838b0953c2501211f3dda1f6ad5
    MD5
    25ed8448f5055c4584a25a04c9851ac4
    CRC-32
    e1bfe176
    File type
    A binary file with a very small filesize (too small to be malicious)
    First seen
    2011-09-22
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    IKE Connection Telephony Browser
    c:\Documents and Settings\test user\Local Settings\Application Data\mqznoee\tsqrsemk.exe
Processes Created
  • c:\Documents and Settings\test user\local settings\application data\mqznoee\timzsfqmt.exe
  • c:\Documents and Settings\test user\local settings\application data\mqznoee\tsqrsemk.exe
HTTP Requests
  • http://belongcondition.net/forum/search.php
  • http://belongnation.net/forum/search.php
  • http://belongplease.net/forum/search.php
  • http://belongsoldier.net/forum/search.php
  • http://chaircondition.net/forum/search.php
  • http://chairnation.net/forum/search.php
  • http://chairplease.net/forum/search.php
  • http://chairsoldier.net/forum/search.php
  • http://destroycondition.net/forum/search.php
  • http://destroynation.net/forum/search.php
  • http://destroyplease.net/forum/search.php
  • http://destroysoldier.net/forum/search.php
  • http://effortcondition.net/forum/search.php
  • http://effortnation.net/forum/search.php
  • http://effortplease.net/forum/search.php
  • http://effortsoldier.net/forum/search.php
  • http://forgetcondition.net/forum/search.php
  • http://forgetdaughter.net/forum/search.php
  • http://forgetnation.net/forum/search.php
  • http://forgetplease.net/forum/search.php
  • http://forgetsoldier.net/forum/search.php
  • http://husbandcondition.net/forum/search.php
  • http://husbandnation.net/forum/search.php
  • http://husbandplease.net/forum/search.php
  • http://husbandsoldier.net/forum/search.php
  • http://increasecondition.net/forum/search.php
  • http://increasedaughter.net/forum/search.php
  • http://increasenation.net/forum/search.php
  • http://increasepeople.net/forum/search.php
  • http://increaseplease.net/forum/search.php
  • http://increasesoldier.net/forum/search.php
  • http://journeycondition.net/forum/search.php
  • http://journeynation.net/forum/search.php
  • http://journeyplease.net/forum/search.php
  • http://journeysoldier.net/forum/search.php
  • http://littlecondition.net/forum/search.php
  • http://littlenation.net/forum/search.php
  • http://littleplease.net/forum/search.php
  • http://littlesoldier.net/forum/search.php
  • http://rememberbrown.net/forum/search.php
  • http://rememberdaughter.net/forum/search.php
  • http://remembernation.net/forum/search.php
  • http://rememberpeople.net/forum/search.php
  • http://rememberready.net/forum/search.php
  • http://riddencondition.net/forum/search.php
  • http://riddennation.net/forum/search.php
  • http://riddenplease.net/forum/search.php
  • http://riddensoldier.net/forum/search.php
  • http://suffercondition.net/forum/search.php
  • http://suffernation.net/forum/search.php
  • http://sufferplease.net/forum/search.php
  • http://suffersoldier.net/forum/search.php
  • http://thosecondition.net/forum/search.php
  • http://thosenation.net/forum/search.php
  • http://thoseplease.net/forum/search.php
  • http://thosesoldier.net/forum/search.php
  • http://throughcondition.net/forum/search.php
  • http://throughnation.net/forum/search.php
  • http://throughplease.net/forum/search.php
  • http://throughsoldier.net/forum/search.php
  • http://withincondition.net/forum/search.php
  • http://withinnation.net/forum/search.php
  • http://withinplease.net/forum/search.php
  • http://withinsoldier.net/forum/search.php
  • http://wouldbrown.net/forum/search.php
  • http://woulddaughter.net/forum/search.php
  • http://wouldnation.net/forum/search.php
  • http://wouldpeople.net/forum/search.php
  • http://wouldready.net/forum/search.php
  • http://wouldsoldier.net/forum/search.php
DNS Requests
  • belongcondition.net
  • belongnation.net
  • belongplease.net
  • belongsoldier.net
  • chaircondition.net
  • chairnation.net
  • chairplease.net
  • chairsoldier.net
  • destroycondition.net
  • destroynation.net
  • destroyplease.net
  • destroysoldier.net
  • effortcondition.net
  • effortnation.net
  • effortplease.net
  • effortsoldier.net
  • forgetcondition.net
  • forgetdaughter.net
  • forgetnation.net
  • forgetplease.net
  • forgetsoldier.net
  • husbandcondition.net
  • husbandnation.net
  • husbandplease.net
  • husbandsoldier.net
  • increasecondition.net
  • increasedaughter.net
  • increasenation.net
  • increasepeople.net
  • increaseplease.net
  • increasesoldier.net
  • journeycondition.net
  • journeynation.net
  • journeyplease.net
  • journeysoldier.net
  • littlecondition.net
  • littlenation.net
  • littleplease.net
  • littlesoldier.net
  • rememberbrown.net
  • rememberdaughter.net
  • remembernation.net
  • rememberpeople.net
  • rememberready.net
  • riddencondition.net
  • riddennation.net
  • riddenplease.net
  • riddensoldier.net
  • suffercondition.net
  • suffernation.net
  • sufferplease.net
  • suffersoldier.net
  • thosecondition.net
  • thosenation.net
  • thoseplease.net
  • thosesoldier.net
  • throughcondition.net
  • throughnation.net
  • throughplease.net
  • throughsoldier.net
  • withincondition.net
  • withinnation.net
  • withinplease.net
  • withinsoldier.net
  • wouldbrown.net
  • woulddaughter.net
  • wouldnation.net
  • wouldpeople.net
  • wouldready.net
  • wouldsoldier.net

download Try Sophos products for free
Download now