Trojan.Agent.CERV_1efbf2304a

by malwarelabrobot on March 25th, 2017 in Malware Descriptions.

Trojan.Agent.CERV (B) (Emsisoft), Trojan.Agent.CERV (AdAware), Trojan.Win32.Swrort.3.FD (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 1efbf2304affff18e3c27d46f2857f34
SHA1: a7072c43896ed0a3151f9d21eb54073b6842ce01
SHA256: 3299ab9508f648d2c4d96a2963fb86b76c2f9c931e7cf62995099ae1a153eb58
SSDeep: 12288:EAWzgp6AuSbj3ELyNBAlubqAuPgjVDKt4tNgKd3U8ZwSNWaZHyEonx6nwn8AFFDP:bYMAL/lflPgjVRtdU8Z/NvSnlWy1
Size: 878592 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Gatut
Created at: 2016-11-09 18:29:49
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1672

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1672 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\FailedToInstall[1].htm (715 bytes)

Registry activity

The process %original file name%.exe:1672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\1efbf2304affff18e3c27d46f2857f34_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\1efbf2304affff18e3c27d46f2857f34_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\1efbf2304affff18e3c27d46f2857f34_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\1efbf2304affff18e3c27d46f2857f34_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\1efbf2304affff18e3c27d46f2857f34_RASAPI32]
"FileDirectory" = "%windir%\tracing"

"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 748736 749056 5.50177 400afa4952ef65e0f0607ef78a71f7fa
.data 753664 86268 86528 5.52627 b325cf1a4ede1197135d3b33ca98294f
/16 843776 4352 4608 4.44673 78c354605d5f9a836d3b946a302c1859
/24 851968 8448 8704 4.50806 4f226a906aabbbe68035b3dc9fa09baf
.rdata 864256 4352 4608 4.45075 269499be580dee942ff7a6b6e2d8640a
.bss 872448 4608 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 880640 8168 8192 3.91373 448493d1a0f4947b57a0833b8c045ed2
.tls 888832 44 512 0.139696 31f6ae0efbc8665f66a532ed2022ca95
.rsrc 892928 14988 15360 3.5628 231239b870f6086688cb6c581ac8d678

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 226
e51b3190630594e2fc0d539eca76dbe1
0f38c65c3192a568a0f127781c3e1ad3
e3bd26be518ceabd5cb92753e9cb62ea
a968722a5bb17642c70cd94916416062
2982e6344d97dd051041ffb1df962f7a
4db81dd1bc58bc011c24cee917727de5
3ab8386945e5dd57601b123757071cdf
0b2e22a7e3e640c65e22c170d18200af
a042a31a457f2de9db52ba319a92ba28
fa71e68ab4dd87e5914d76aefcce4167
992b6b530dca98ded19afaae9efd2b45
8d1bbaa093d8eed9bf2d670405828f91
9b7bbbcc4f885b2f42feab41d4588e07
3934f7b9d9cedc60006f610ebfde6240
aa47ef9ec47abaf79ef82608f3fc6f05
1629fd0d4d7e163be648c6bd2dff05ce
62837e65e692b8af8460d4496e846336
62aa718f519adac90ae0c713643c874e
d84402f76949a9319a0ccd1d47b49696
a4e32eab780d1610c83087e8427a323d
9da428f0d8eb0e99ab0f2c862a691824
91e4486091aacbd4d0025e54a10a5f5b
39754dd314a177c524a15f785ea29a47
615cfb960d8b8410e19209f191b4dae6
eefeb47f359807ae59a07515d18ace15
c363ec9646738ba53a5eeee47f6a637e

URLs

URL IP
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/index.php
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/FailedToInstall.php?reason=8&version=1.1.5.26
hxxp://www.quaintspokenracketiest.site/index.php 54.243.162.153
hxxp://www.quaintspokenracketiest.site/FailedToInstall.php?reason=8&version=1.1.5.26 54.243.162.153


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE SoundCloud Downloader Install Beacon

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\FailedToInstall[1].htm (715 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now