Skip navigation.
Home

Trojan.Agent.AUQ Analysis Help

|

I am trying to identify where this trojan installs and hooks into a system. I think the binary is monitoring user activity. I found several instances of the URL below in memory, and the beginning of an PE executable but not the end.

Url: "http[:]//83.149.75[.]57/trafc-2/rfe.php?cmp=dun_tekthird&guid={e6af260b-aed7-4174-bb03-0455a0b5a8b9}&affid=66695&step=0&run=1&dn_uid={e6af260b-aed7-
4174-bb03-0455a0b5a8b9}&dn_affid=&vm_guid=&ip=192.168.218.135&ie=1"

When the trojan is first run it looks for wpad.dat on any wpad servers in the local domain. I have a signature that can help identify affected hosts since most of the AV dont detect the trojan.

alert tcp any any -> any 80 (msg:"WPAD HTTP Binary Beacon"; content:"|f4 a4 f9 9a 27 4e 0a 7e 2a 73 73 4e 93 b8 17 ba|";sid:1004;)

Has anyone analyzed this trojan yet, or have suggestions on how to remove it?

MD5 - 27f700e875c99420a4e078683dc57c3d

Mece