Troj/Autoit-XS

Category: Viruses and Spyware Protection available since:16 Sep 2013 04:33:04 (GMT)
Type: Trojan Last Updated:16 Sep 2013 12:04:42 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Autoit-XS include:

Example 1

File Information

Size
1.2M
SHA-1
454801e1e5c2fca8ca180a7838f8f867062da97b
MD5
2bfa352d39666b00f54c13895399ec6e
CRC-32
0b12f9a9
File type
Windows executable
First seen
2013-09-15

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Byxyw\touw.qyi
    Size
    477
    SHA-1
    736e7e55955cf747579fbf59540c35cd44c2e323
    MD5
    eb31952f647402e7515f94984356134b
    CRC-32
    00db97b8
    File type
    Unspecified binary - probably data
    First seen
    2013-09-16
  • c:\Documents and Settings\test user\Application Data\Boyry\ekbo.exe
    Size
    1.2M
    SHA-1
    dec9f5833f9585f46301e08f928bf2de9f5aa556
    MD5
    ec12f4c28aa3bbff6b75805d0c687dcb
    CRC-32
    72b8b32a
    File type
    Windows executable
    First seen
    2013-09-16
  • c:\Documents and Settings\test user\Local Settings\Temp\f.txt
    Size
    139K
    SHA-1
    a75c4ff3340febee712d16cc668bd40b55f38dee
    MD5
    9a64810eabed4f79450fb74a03333f3b
    CRC-32
    a54c5d08
    File type
    Unspecified binary - probably data
    First seen
    2013-09-15
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Obowe
    Pabuz
    □3□□□□□□□□□□p□□□□□p*□@_□□□□□□□@□□□□□□□□□&□□?□@□□□q□`:□□□□`□□z□P+□P□□□?□□□□□□□□□□□G□□!□□□□`□□P=□□#□□□□□s□□□□□u□`l□01□□□□ □□`□□□p□□c□□□□□1□□□□□8□□□□□□□□d□□□□`=□□A□□□□□□□□□□□□□
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    GlobalUserOffline
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {92126B6E-729F-8CAF-66F6-EE24C2838D29}
    "c:\Documents and Settings\test user\Application Data\Boyry\ekbo.exe"
  • HKCU\Identities
    Identity Login
    0x00098053
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    e0 66 81 de 85 b2 ce 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\boyry\ekbo.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://185.12.46.102/dede-business/server/format.bin
  • http://cryptercoder.com/fun.txt
  • http://www.google.bg/webhp
  • http://www.google.com/webhp
IP Connections
  • 185.12.46.102:80
DNS Requests
  • cryptercoder.com
  • www.google.bg
  • www.google.com

Example 2

File Information

Size
1.2M
SHA-1
dec9f5833f9585f46301e08f928bf2de9f5aa556
MD5
ec12f4c28aa3bbff6b75805d0c687dcb
CRC-32
72b8b32a
File type
Windows executable
First seen
2013-09-16

download Try Sophos products for free
Download now