Trojan.Agent.AUQ Analysis Help
I am trying to identify where this trojan installs and hooks into a system. I think the binary is monitoring user activity. I found several instances of the URL below in memory, and the beginning of an PE executable but not the end.
When the trojan is first run it looks for wpad.dat on any wpad servers in the local domain. I have a signature that can help identify affected hosts since most of the AV dont detect the trojan.
alert tcp any any -> any 80 (msg:"WPAD HTTP Binary Beacon"; content:"|f4 a4 f9 9a 27 4e 0a 7e 2a 73 73 4e 93 b8 17 ba|";sid:1004;)
Has anyone analyzed this trojan yet, or have suggestions on how to remove it?
MD5 - 27f700e875c99420a4e078683dc57c3d