Troj/AutoIt-AAB

Category: Viruses and SpywareProtection available since:14 Nov 2013 22:01:04 (GMT)
Type: TrojanLast Updated:14 Nov 2013 22:01:04 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/AutoIt-AAB include:

Example 1

File Information

Size
3.4M
SHA-1
381103788f9766ec2e2803cf37e2f1369a444040
MD5
5d71cac9a87369a691a5164436c46b52
CRC-32
44f9072a
File type
Windows executable
First seen
2013-11-14

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\qfyip\start.vbs
    Size
    193
    SHA-1
    65e4665d277d88f2045dd448db4f2e5f543fccbe
    MD5
    c9680ce1149853f9f5d9811dcf29ac8c
    CRC-32
    84157e58
    File type
    Visual Basic Script
    First seen
    2013-11-14
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\Content\5C8DDA36D60247082B142836039F4636
    Size
    16K
    SHA-1
    52af7fb910f60611eb5253f53dde05ada5355b06
    MD5
    eccf6631b7aaa560f1b7363389598ca4
    CRC-32
    50aee144
    File type
    Encoded certificate
    First seen
    2013-11-14
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Size
    53K
    SHA-1
    509a4695add9e9709c2e673529ed53c7d0d0abd8
    MD5
    37c3ac7e8dc94373c9687e748ae3578e
    CRC-32
    624046e4
    File type
    Microsoft CAB archive
    First seen
    2013-10-19
  • c:\Documents and Settings\test user\qfyip\svchost.com
    Size
    733K
    SHA-1
    cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
    MD5
    71d8f6d5dc35517275bc38ebcc815f9f
    CRC-32
    4aca8fdb
    File type
    Windows executable
    First seen
    2012-01-31
  • c:\Documents and Settings\test user\qfyip\start.cmd
    Size
    67
    SHA-1
    55a025cfc8ad35200e136b915eb062eecd17f31a
    MD5
    af68a418089eefcc1c6db1ed701ad44b
    CRC-32
    f35f2e2d
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2013-11-14
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\Content\DC2135CED98D8A4D7C0CEE202BB0B810
    Size
    469
    SHA-1
    d2acca0dc2bfad7d1f151ab6edec3a2021a44aaf
    MD5
    e035e0b09bcadccd3fbad1cd731585a4
    CRC-32
    67797fc6
    File type
    Encoded certificate
    First seen
    2013-07-16
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\Content\F5A17C00E427F919C4A49EEF5AD0EE53
    Size
    460
    SHA-1
    078a41b2f2c2d6558a283fc8b9091ba45cbfba47
    MD5
    1df2dde3986c042d5bd50612736391d4
    CRC-32
    da3f7f67
    File type
    Encoded certificate
    First seen
    2013-08-02
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\MetaData\5C8DDA36D60247082B142836039F4636
    Size
    110
    SHA-1
    6dded866e25e4eab058021ac1c7b661a67181316
    MD5
    1792b570eb8d85eb89f315b947215a05
    CRC-32
    08ccdb5f
    File type
    Unspecified binary - probably data
    First seen
    2013-11-14
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Size
    216
    SHA-1
    4b104fb5eb76c34b2d5194c7d82d80c2693dc3ca
    MD5
    74f241c3a1281a79d8dbdb88e08cd7f2
    CRC-32
    aa688a99
    File type
    Unspecified binary - probably data
    First seen
    2013-11-14
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\MetaData\DC2135CED98D8A4D7C0CEE202BB0B810
    Size
    98
    SHA-1
    174362e6c77168e306fe7a38f31cbb1bcde56ba5
    MD5
    d3ccfc5a9bdafacac848d9db83545d09
    CRC-32
    11067a31
    File type
    Unspecified binary - probably data
    First seen
    2013-11-14
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\MetaData\F5A17C00E427F919C4A49EEF5AD0EE53
    Size
    110
    SHA-1
    1cae171934f8afb844591b79569aab563c5f03eb
    MD5
    7b2671503420ee926b80c3f167bd8fe0
    CRC-32
    0d69b7c5
    File type
    Unspecified binary - probably data
    First seen
    2013-11-14
  • c:\Documents and Settings\test user\Local Settings\Temp\Y3VUO5HYVD.exe
  • c:\Documents and Settings\test user\Start Menu\Programs\Startup\start.lnk
    Size
    717
    SHA-1
    b9dc74b5632ca087ae660b06f6aff63964484104
    MD5
    97cc58b168edddacadc87f67612213ca
    CRC-32
    b4846734
    File type
    Windows Shortcut file (.LNK)
    First seen
    2013-11-14
  • c:\Documents and Settings\test user\qfyip\63319.KYU
    Size
    222
    SHA-1
    98f56454c414a32a3bdd888db5035446aec87a35
    MD5
    aad60e49b01ac06f2fc8ec6ba9fc7f57
    CRC-32
    50732b77
    File type
    Configuration Data File (generic)
    First seen
    2013-11-14
  • c:\Documents and Settings\test user\qfyip\4504992.VVP
    Size
    6.2M
    SHA-1
    d92cee0b3b3421592ea72c1c953b65a273fb0a18
    MD5
    9d48652558429beeaacefd1d01dbc9ea
    CRC-32
    4e402256
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2013-11-14
  • c:\Documents and Settings\test user\qfyip\46813.EHL
    Size
    457K
    SHA-1
    0a9b3596d42465bbc565e63cab5a20786c87cb86
    MD5
    b7790b736a4c1e9531c9797bec92694d
    CRC-32
    acd003c2
    File type
    Unspecified binary - probably data
    First seen
    2013-11-14
  • c:\Documents and Settings\test user\qfyip\9137175.vbe
    Size
    59
    SHA-1
    ae41e85a22f26074d99ff7edc913572bc1f7447b
    MD5
    3c5a676876270ddd946b226b649cd8fe
    CRC-32
    40ca143c
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2013-11-14
  • c:\Documents and Settings\test user\qfyip\thecoin-qt.exe
    Size
    7.8M
    SHA-1
    ffdf3f288e6c2061b7a7f2ad596ba503164ad9bf
    MD5
    3002ddde929a6adcbae37866fd3f86f2
    CRC-32
    b95d7741
    File type
    Windows executable
    First seen
    2013-11-14
Modified Files
  • %PROFILE%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
  • %PROFILE%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    C:\DOCUME~1\support\LOCALS~1\Temp\Y3VUO5HYVD.exe
    C:\DOCUME~1\support\LOCALS~1\Temp\Y3VUO5HYVD.exe:*:Enabled:Windows Messanger
  • HKCU\Software\VB and VBA Program Settings\INSTALL\DATE
    ZALP6OYCC3
    November 14, 2013
  • HKCU\Software\VB and VBA Program Settings\SrvID\ID
    ZALP6OYCC3
    abayocuc
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    qfyip
    C:\DOCUME~1\support\qfyip\start.vbs
  • HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C
    Blob
    □□□□□□□□□□□□□□□□□□□E□ □□□Q□ □□p]□p□□□□□□□□0□□□□□□□□□□□@□□□□□□□□`□□@□□□b□□□□□□□ □□□R□@□□ □□□□□□□□□□□□□□□□□□□□□□□0□□□□□□□□0□□0G□□□□ 6□@□□□□□□□□□□□@□□□□□□{□`□□P□□p□□□P□□}□@□□@□□□□□□K□□□□□□□□□□□□□`□□□□□p□□□□□□□□ □□□□□□□□0□□□□□p□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□@□@□□□□□ □□0□□0□□ □□□H□`h□□□□p□□0□□□l□@3□□□□0□□□□□□□□□□□0□□□□□□!□□□□`□□□□□□□□□□□ □□□0□ 0□□□□□+□`□□@□□ 7□□□□□□□ □□□□□□□□□□□□□□□h□□□□□0□`□□□+□`□□P□□p□□□□□□+□`□□P□□p□□ □□□+□`□□P□□p□□0□□□+□`□□P□□p□□@□□□+□`□□P□□p□□□□□□+□`□□P□□p□□□□□□+□`□□@□□ 7□□□□@□□□+□`□□P□□p□□`□□□+□`□□P□□p□□p□□□+□`□□P□□□□□ □□□□□□□□□□□□□□□□□□□□0□□ □□□□□@`□□□□P□□□~□□ □□□□□□□□□□□y□0□□□0□ □□P0□ □□□□□0□□□□□ □□@□□□□□□□□PK□□□□@0□□□□□*□`H□`□□□□□□□□P□□□W□□□□□□□`□□P□□`□□ B□P1□□0□p□□0U□@□□0□□pl□□b□□l□0i□pn□□n□`-□0a□□□□□□□`□□P□□□□□pR□□o□@ □0A□□□□□□□`□□P□□0□□ [... 975 intervening characters ...] □□□□□□□)□□□□□□□P□□□□□□i□□i□@x□□□□p□□□b□□□□□□□□□□□□□ □□p□□□*□@V□□□□□g□□□□□□□□□□□F□□□□□□□@□□□□□□□□□V□□a□@j□□\□`□□□=□□A□□□□□c□ □□0S□@+□□□□□□□p□□□□□ A□□□□□□□@□□P□□@□□□□□□□□□□□□□□□□□`U□ □□□□□□&□□□□
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\E5215D3460C2C20BBE2D9FE5FB665DAA2C0E225C
    Blob
    04 00 00 00 01 00 00 00 10 00 00 00 6f 7e 74 a3 a1 3a ca bb 63 cf 74 04 17 05 fa 33 19 00 00 00 01 00 00 00 10 00 00 00 a8 23 b4 a2 01 80 be b4 60 ca b9 55 c2 4d 7e 21 03 00 00 00 01 00 00 00 14 00 00 00 e5 21 5d 34 60 c2 c2 0b be 2d 9f e5 fb 66 5d aa 2c 0e 22 5c 14 00 00 00 01 00 00 00 14 00 00 00 87 db d4 5f b0 92 8d 4e 1d f8 15 67 e7 f2 ab af d6 2b 67 75 20 00 00 00 01 00 00 00 7f 03 00 00 30 82 03 7b 30 82 02 63 a0 03 02 01 02 02 10 c4 bb d8 c0 ca ff 56 a5 11 d3 56 96 61 99 22 30 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 1d 31 1b 30 19 06 03 55 04 03 13 12 52 6f 6f 74 20 53 47 43 20 41 75 74 68 6f 72 69 74 79 30 1e 17 0d 39 39 30 38 32 30 30 30 33 30 30 31 5a 17 0d 31 34 30 31 32 38 30 37 30 30 30 30 5a 30 57 31 0b 30 09 06 03 55 04 06 13 02 42 45 31 19 30 17 06 03 55 04 0a 13 10 47 6c 6f 62 61 6c 53 69 67 6e 20 6e 76 2d 73 61 31 10 30 0e 06 03 55 04 0b 13 07 52 6f 6f 74 20 43 41 31 1b 30 19 06 03 55 04 03 13 12 47 6c 6f 62 61 6c 53 69 67 6e 20 52 6f 6f 74 20 43 41 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 da 0e e6 99 8d ce a3 e3 4f 8a 7e fb f1 8b 83 25 6b ea 48 1f f1 2a b0 b9 95 11 04 bd f0 63 d1 e2 67 66 cf 1c dd cf 1b 48 2b ee 8d 89 8e 9a af 29 80 65 ab e9 c7 2d 12 cb ab 1c 4c 70 07 a1 3d 0a 30 cd 15 8d 4f f8 dd d4 8c 50 15 1c ef 50 ee c4 2e f7 fc e9 52 f2 91 7d e0 6d d5 35 30 8e 5e 43 73 f2 41 e9 d5 6a e3 b2 89 3a 56 39 38 6f 06 3c 88 69 5b 2a 4d c5 a7 54 b8 6c 89 cc 9b f9 3c ca e5 fd 89 f5 12 3c 92 78 96 d6 dc 74 6e 93 44 61 d1 8d c7 46 b2 75 0e 86 e8 19 8a d5 6d 6c d5 78 16 95 a2 e9 c8 0a 38 eb f2 24 13 4f 73 54 93 13 85 3a 1b bc 1e 34 b5 8b 05 8c b9 77 8b b1 db 1f 20 91 ab 09 53 6e 90 ce 7b 37 74 b9 70 47 91 22 51 63 16 79 ae b1 ae 41 26 08 c8 19 2b d1 46 aa 48 d6 64 2a d7 83 34 ff 2c 2a c1 6c 19 43 4a 07 85 e7 d3 7c f6 21 68 ef ea f2 52 9f 7f 93 90 cf 02 03 01 00 01 a3 7d 30 7b 30 0d 06 03 55 1d 0a 04 06 30 04 03 02 07 80 30 20 06 03 55 1d 25 04 19 30 17 06 0a 2b 06 01 04 01 82 37 0a 03 03 06 09 60 86 48 01 86 f8 42 04 01 30 48 06 03 55 1d 01 04 41 30 3f 80 10 0d 27 29 e4 05 2a 97 b4 77 58 35 47 93 2d 06 b8 a1 1f 30 1d 31 1b 30 19 06 03 55 04 03 13 12 52 6f 6f 74 20 53 47 43 20 41 75 74 68 6f 72 69 74 79 82 0a 20 9d 11 d1 0e 7f 7b 85 74 80 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 82 01 01 00 d2 82 ee 55 36 25 57 42 b9 cb a8 70 9c 42 8e 46 a7 d7 99 91 d2 cc a2 db f2 a0 c6 bf c6 db 45 f1 7a 8e dc 03 63 4a 9b 94 99 a6 0f bd 4c ca 6d e4 31 61 6a 08 10 4d 1e 47 d4 11 59 33 02 65 69 ae 13 db f1 65 79 72 25 79 21 c4 b4 25 c2 6c ff 8c 7e 96 df 69 c0 45 24 a1 69 4b a6 a6 04 e7 81 de ca db 88 a3 a6 7c 91 cf 86 47 76 97 e6 97 f7 1a 2e d7 03 f0 37 3b dd 76 95 6d 26 74 51 49 44 d6 3e 84 b7 03 74 6d 66 67 a2 36 8b 84 f3 ed f9 a8 9d e4 a8 1a 09 dc d2 01 92 4f 1f 3d 58 41 bb e9 ac 03 9b e8 f0 96 c0 cd 7e 01 db e2 a9 3e 66 e0 24 e6 ec 7f 6d 18 53 39 9d c0 89 bf 60 78 be cb 07 37 77 9d 7d 8e 8d 17 0a d7 6f 17 da e5 8a e1 e7 08 c4 13 e5 7a 2b 5c 6d f7 9e 20 c4 8d 4f ed 06 29 07 af 79 92 f2 5f f9 aa 21 15 cb 66 39 77 d3 2d 19 24 68 84 5f a9 48 46 5a db 1d b4 41 1f
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    DoNotAllowExceptions
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\qfyip\svchost.com
  • c:\Documents and Settings\test user\qfyip\thecoin-qt.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\mshta.exe
  • c:\windows\system32\taskkill.exe
  • c:\windows\system32\wscript.exe
HTTP Requests
  • http://crl.globalsign.net/ObjectSign.crl
  • http://crl.globalsign.net/Root.crl
  • http://crl.globalsign.net/primobject.crl
  • http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
  • http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
IP Connections
  • 212.7.208.99:5555
DNS Requests
  • crl.globalsign.net
  • www.download.windowsupdate.com

Example 2

File Information

Size
6.2M
SHA-1
d92cee0b3b3421592ea72c1c953b65a273fb0a18
MD5
9d48652558429beeaacefd1d01dbc9ea
CRC-32
4e402256
File type
ASCII text / 8-bit Unicode Transformation Format
First seen
2013-11-14