MD5: dc63d681652623f0b759011958748f65
SHA1: bfe17fa0a5c58eea461e78c9d5a0bdd13ff289d0
SHA256: 4892ed0a2b33775ec664bc0a39618368e08a897b884e604fbb0526a48b80c3c8
SSDeep: 3072:084C68CXlwjJxdfrrQF1bWFNkAqGeFCD02e61txrLzuSuJR9Xv0b64jfKBySBG:0jCtalwjdfrrQFlBTMo2PPxnSSudXv0V
Size: 185344 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2014-11-24 16:18:04
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2028

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2028 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\atuqsoai.exe (673 bytes)

Registry activity

The process %original file name%.exe:2028 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "C:\atuqsoai.exe"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 8
c6aa7db188c438fef14a13f9f50a17e4
bb999264f9e65d1a4a7fbf4ea101e521
b20af425075cb74c49002aa9ebf1f717
2a734fa7efabff12805697433d15d600
d82184ff052c7cc0b91d9a23334a8b9c
c0b8ad4cc8d1c1d40a74cbf0a1006c57
69a8edcc27885a49178441eeea33e5d3
9aa98960c8b252c3cbf646098169300e

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.data

.text

`.idata

C:\atuqsoai.exe

Z:\atuqsoai.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Z:\autorun.inf

ShellExecute=atuqsoai.exe

`3.mB

.TD^C

KERNEL32.DLL

ADVAPI32.DLL

RegCloseKey

RegCreateKeyExA

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\atuqsoai.exe (673 bytes)
   

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "(Default)" = "C:\atuqsoai.exe"

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.