Jump to content

Operating memory » a variant of Win32/Spy.Agent.QGW trojan


safety
 Share

Recommended Posts

Hi,

The file is constantly deleted when it is found in RAM, but is "resurrected" again. Can we find the source of this threat?

22.09.2022 12:56:59    Advanced memory scanner    file    Operating memory » C:\Users\igor\AppData\Local\Temp\1a10b5ce.dll    a variant of Win32/Spy.Agent.QGW trojan    cleaned by deleting            3634BFE5E04A47482E02F849D0C5FACA31213B0F        
22.09.2022 12:55:09    Advanced memory scanner    file    Operating memory » C:\Users\igor\AppData\Local\Temp\1a10b5ce.dll    a variant of Win32/Spy.Agent.QGW trojan    cleaned by deleting            B7C9EDF0683C243AD74CA7D2760003A3EC3806A5        
22.09.2022 12:52:09    Startup scanner    file    Operating memory » C:\Users\igor\AppData\Local\Temp\1a10b5ce.dll    a variant of Win32/Spy.Agent.QGW trojan    cleaned by deleting            5CEE07D38D917C1AC6933342524DD303A9201613        
 

 

eav_logs.zip

Link to comment
Share on other sites

  • Administrators

Please supply me with the file: C:\Users\igor\AppData\Local\Temp\1a10b5ce.dll.

Also enable the LiveGrid Feedback system for maximum protection and to ensure that we get suspicious files. Enabling it also improves protection by certain protection modules, such as the Ransomware shield.

Create also a Procmon boot log. After a reboot, stop logging only after the threat has been detected if it's detected shortly after the system starts up. Save the pml log, compress it and upload it here.

Link to comment
Share on other sites

7 minutes ago, Marcos said:

Please supply me with the file: C:\Users\igor\AppData\Local\Temp\1a10b5ce.dll.

Unfortunately, this file is not quarantined. I paid attention to this strange Task. We asked the user to quarantine this file. c:\users\igor\appdata\roaming\msidb.exe /hxxsx:8484 /om:7 /eqcirph /qdkfh, ,

Link to comment
Share on other sites

  • Administrators

Does the dll exist? If so, is it detected by the on-demand scanner if you scan it manually?

Please provide the file c:\users\igor\appdata\roaming\msidb.exe, do not delete it until I confirm receipt.

Link to comment
Share on other sites

I can assume that it is extracted from somewhere when starting a task and another process, and the antivirus immediately kills it. But she is not in quarantine, judging by the logs.

>>>Please provide the file c:\users\igor\appdata\roaming\msidb.exe, do not delete it until I confirm >>>receipt.

Yes, this file was requested, it should be quarantined, although it is clean judging by the check for VT

 

Edited by safety
Link to comment
Share on other sites

  • Administrators
2 minutes ago, safety said:

I can assume that it is extracted from somewhere when starting a task and another process, and the antivirus immediately kills it. But she is not in quarantine, judging by the logs.

>>>Please provide the file c:\users\igor\appdata\roaming\msidb.exe, do not delete it until I confirm >>>receipt.

Yes, this file was requested, it should be quarantined, although it is clean judging by the check for VT

 

If you enable the ESET LiveGrid Feedback system, most likely the executable will be sent to ESET automatically since it's probably dropping and injecting the dll.

Link to comment
Share on other sites

Previously, there were already several similar cases, and the matter was solved by deleting tasks, although the files that were launched in the tasks were clean.

20.01.2022 9:40:02  Advanced memory scanner  file  Operating memory » C:\Users\itc-omn\AppData\Local\Temp\1ca9c872.dll  multiple threats  deleted      4EC9095A35736DFFE889AC992A4460A6C780972F    
20.01.2022 9:39:54  Advanced memory scanner  file  Operating memory » C:\Users\itc-omn\AppData\Local\Temp\1ca9c872.dll  multiple threats  deleted      F378F3E53FF08A9DF28586DE383A8A4D3B1F35EB    
20.01.2022 9:38:21  Advanced memory scanner  file  Operating memory » C:\Users\itc-omn\AppData\Local\Temp\1ca9c872.dll  multiple threats  deleted      D1D3F2531F12E5163BEAFE10BB2425D73F5F395B

-------------

deleting these tasks helped
"Command line" = "c:\users\itc-omn\appdata\local\asus giftbox\user data\a3f739aa\vmplayer.exe -us:8 -lznupsl:12" ( 9: High Risk ) ; ; ;
"Command line" = "c:\users\itc-omn\appdata\local\apps\f2238d51\vnplayer.exe /xsqlrl:66576859 /bk /wfu /bziujw:825" ( 9: High Risk ) ; ; ;

SysInspector1.zip

Edited by safety
Link to comment
Share on other sites

23 minutes ago, Marcos said:

The above exe files (vmplayer.exe and vnplayer.exe) probably don't exist, ESI shows 0 size of the files. If exist, please provide them.

Perhaps there was a blocking of access. I watched this case in another program. (uVS). This is a clean file from VMware. (We were unable to reproduce the issue. There was no time. Just deleted these tasks, and then the download dll stopped.)

Полное имя                  C:\USERS\ITC-OMN\APPDATA\LOCAL\APPS\F2238D51\VNPLAYER.EXE
Имя файла                   VNPLAYER.EXE
Тек. статус                 ПРОВЕРЕННЫЙ в автозапуске 
                            
Удовлетворяет критериям     
TASK.EXE                    (ССЫЛКА ~ .JOB)(1)   AND   (ЗНАЧЕНИЕ ~ .EXE)(1) [auto (0)]
                            
Сохраненная информация      на момент создания образа
Статус                      ПРОВЕРЕННЫЙ в автозапуске 
File_Id                     50922D2A294000
Linker                      9.0
Размер                      2691736 байт
Создан                      18.12.2021 в 09:25:23
Изменен                     18.12.2021 в 09:25:23
                            
TimeStamp                   01.11.2012 в 08:04:58
EntryPoint                  +
OS Version                  5.0
Subsystem                   Windows graphical user interface (GUI) subsystem
IMAGE_FILE_DLL              -
IMAGE_FILE_EXECUTABLE_IMAGE +
Оригинальное имя            VMPLAYER.EXE
Тип файла                   32-х битный ИСПОЛНЯЕМЫЙ
Цифр. подпись               Действительна, подписано "VMware, Inc."
                            
Оригинальное имя            vmplayer.exe
Версия файла                9.0.1 build-894247
Версия продукта             9.0.1 build-894247
Описание                    VMware Player
Производитель               VMware, Inc.
                            
Доп. информация             на момент обновления списка
CmdLine                     /XSQLRL:66576859 /BK /WFU /BZIUJW:825
SHA1                        3FA003D9B68373402C4A603CE47B90269E192CE8
MD5                         4AA4BB31B3EA8B9EAE62F52CC7283602
                            
Ссылки на объект            
Ссылка                      C:\WINDOWS\TASKS\VNPLAYER.JOB
Значение                    "C:\Users\itc-omn\AppData\Local\Apps\f2238d51\vnplayer.exe" /xsqlrl:66576859 /bk /wfu /bziujw:825
                            
Ссылка                      C:\WINDOWS\SYSTEM32\TASKS\VNPLAYER
Task                        \vnplayer
                            
Ссылка                      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CF5A942D-E1AC-4355-B6E0-7356BE7FBE33}\Actions
Actions                     "C:\Users\itc-omn\AppData\Local\Apps\f2238d51\vnplayer.exe" /xsqlrl:66576859 /bk /wfu /bziujw:825
                            
Ссылка                      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CF5A942D-E1AC-4355-B6E0-7356BE7FBE33}\

 

Edited by safety
Link to comment
Share on other sites

Here, too, the hash is undefined, but through uVS we see it.

photo_2022-09-23_16-04-07.thumb.jpg.604d15efeebd880a10b326a263e2908b.jpg

Полное имя                  C:\USERS\IGOR\APPDATA\ROAMING\MSIDB.EXE
Имя файла                   MSIDB.EXE
Тек. статус                 ?ВИРУС? ПОДОЗРИТЕЛЬНЫЙ в автозапуске 
                            
Удовлетворяет критериям     
TASK.EXE                    (ССЫЛКА ~ .JOB)(1)   AND   (ЗНАЧЕНИЕ ~ .EXE)(1) [auto (0)]
                            
Сохраненная информация      на момент создания образа
Статус                      ПОДОЗРИТЕЛЬНЫЙ в автозапуске 
File_Id                     4A5BC3C729000
Linker                      9.0
Размер                      154440 байт
Создан                      17.09.2022 в 21:06:14
Изменен                     19.03.2010 в 15:02:22
                            
TimeStamp                   13.07.2009 в 23:31:19
EntryPoint                  +
OS Version                  6.0
Subsystem                   Windows graphical user interface (GUI) subsystem
IMAGE_FILE_DLL              -
IMAGE_FILE_EXECUTABLE_IMAGE +
Тип файла                   32-х битный ИСПОЛНЯЕМЫЙ
Цифр. подпись               Отсутствует либо ее не удалось проверить
                            
Статус                      ПОДОЗРИТЕЛЬНЫЙ ОБЪЕКТ
Путь до файла               Типичен для вирусов и троянов
                            
Доп. информация             на момент обновления списка
CmdLine                     /HXXSX:8484 /OM:7 /EQCIRPH /QDKFH
SHA1                        D292822E4119A5A73A8B3CEA7AC4BEAC6CF21829
MD5                         88F4AF07CA066060ABC8DB7E838F2FEB
                            
Ссылки на объект            
Ссылка                      C:\WINDOWS\TASKS\MSIDB.JOB
Значение                    "C:\Users\igor\AppData\Roaming\MsiDb.exe" /hxxsx:8484 /om:7 /eqcirph /qdkfh
                            
Ссылка                      C:\WINDOWS\SYSTEM32\TASKS\MSIDB
Task                        \MsiDb
                            
Ссылка                      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4F7CBE8E-145B-4AA4-8558-5F1C5FCBBC9B}\Actions
Actions                     "C:\Users\igor\AppData\Roaming\MsiDb.exe" /hxxsx:8484 /om:7 /eqcirph /qdkfh
                            
Ссылка                      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4F7CBE8E-145B-4AA4-8558-5F1C5FCBBC9B}\

 

Link to comment
Share on other sites

In the third case dated 08.03. 2022 it was:

03.08.2022 16:21:55  Advanced memory scanner  file  Operating memory » C:\Users\Дмитрий\AppData\Local\Temp\28e86510.dll  a variant of Win32/Spy.Agent.QGW trojan  cleaned by deleting      E270A42E0B87887376DE25E48312CFF2571DB9A3    
03.08.2022 16:21:50  Advanced memory scanner  file  Operating memory » C:\Users\Дмитрий\AppData\Local\Temp\28e86510.dll  a variant of Win32/Spy.Agent.QGW trojan  cleaned by deleting      5F66A0781CDCECDF6C65F348E189362EF587274F    
03.08.2022 16:20:14  Advanced memory scanner  file  Operating memory » C:\Users\Дмитрий\AppData\Local\Temp\28e86510.dll  a variant of Win32/Spy.Agent.QGW trojan  cleaned by deleting      1C4398C983256367004BE99569CC49ADDB7B5DE8

---------------

Here the problem was solved after deleting this task:

c:\windows\system32\tasks\java, c:\users\Дмитрий\appdata\roaming\java.exe /pj=9757386 /zgvlo=92 /nbw /mkj=13105, ,

photo_2022-09-23_16-36-37.thumb.jpg.8a9f26e16cec5dbf8e34fe779b97bd36.jpg

 

eis_logs.zip

Edited by safety
Link to comment
Share on other sites

But here too, java.exe is clean.

Полное имя                  C:\USERS\ДМИТРИЙ\APPDATA\ROAMING\JAVA.EXE
Имя файла                   JAVA.EXE
Тек. статус                 ?ВИРУС? ПОДОЗРИТЕЛЬНЫЙ в автозапуске 
                            
Удовлетворяет критериям     
TASK.EXE                    (ССЫЛКА ~ .JOB)(1)   AND   (ЗНАЧЕНИЕ ~ .EXE)(1) [auto (0)]
FILENAME.LIST               (ПОЛНОЕ ИМЯ ~ \ROAMING\JAVA.EXE)(1) [auto (0)]
                            
Сохраненная информация      на момент создания образа
Статус                      ПОДОЗРИТЕЛЬНЫЙ в автозапуске 
File_Id                     4E08554211000
Linker                      10.0
Размер                      58248 байт
Создан                      07.07.2022 в 13:54:55
Изменен                     05.02.2022 в 01:19:52
                            
TimeStamp                   27.06.2011 в 10:02:42
EntryPoint                  +
OS Version                  5.0
Subsystem                   Windows graphical user interface (GUI) subsystem
IMAGE_FILE_DLL              -
IMAGE_FILE_EXECUTABLE_IMAGE +
Тип файла                   32-х битный ИСПОЛНЯЕМЫЙ
Цифр. подпись               Отсутствует либо ее не удалось проверить
                            
Статус                      ПОДОЗРИТЕЛЬНЫЙ ОБЪЕКТ
Путь до файла               Типичен для вирусов и троянов
                            
Доп. информация             на момент обновления списка
CmdLine                     /PJ=9757386 /ZGVLO=92 /NBW /MKJ=13105
SHA1                        E387EFA1B3580EA075FA637E19C388DF7A330D3D
MD5                         95E3593CA9A3CE84ECB40B727FDD3234
                            
Ссылки на объект            
Ссылка                      C:\WINDOWS\TASKS\JAVA.JOB
Значение                    "C:\Users\Дмитрий\AppData\Roaming\java.exe" /pj=9757386 /zgvlo=92 /nbw /mkj=13105
                            
Ссылка                      C:\WINDOWS\SYSTEM32\TASKS\JAVA
Task                        \java
                            
Ссылка                      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0A0F558A-0B55-40B5-87F6-4C46E55B74BD}\Actions
Actions                     "C:\Users\Дмитрий\AppData\Roaming\java.exe" /pj=9757386 /zgvlo=92 /nbw /mkj=13105
                            
Ссылка                      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0A0F558A-0B55-40B5-87F6-4C46E55B74BD}\

 

Link to comment
Share on other sites

  • Administrators

Let me know when the LiveGrid Feedback system gets enabled, will check if we have received any of those suspicious files.

Also provide a Procmon boot log with logging stopped after threat detection after the reboot along with fresh ELC logs.

Link to comment
Share on other sites

1 hour ago, Marcos said:

Please provide the file c:\users\igor\appdata\roaming\msidb.exe, do not delete it until I confirm receipt.

check, please sent the file in the archive in a private message.

Link to comment
Share on other sites

27 minutes ago, Marcos said:

Let me know when the LiveGrid Feedback system gets enabled, will check if we have received any of those suspicious files.

Also provide a Procmon boot log with logging stopped after threat detection after the reboot along with fresh ESET Log Collector logs.

unfortunately, the task with the file has already been cleaned up, now just wait for the next similar case, then we will cteate the full logs (ESET Log Collector + PROCMON) before cleaning the system.

according to the user, there are no detections yet.

Edited by safety
Link to comment
Share on other sites

Reviewing an Eset similar Win32_Spy.Agent variant behavior description here: https://www.virusradar.com/en/Win32_Spy.Agent.OVP/description , I would begin by taking a hard look at suspicious entries in device's Win startup directories.

Start with C:\Users\xxxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup directory. Make sure you set Win Explorer View temporarily to show OS files. The only thing that should be in this directory is a desktop.ini file.

Next, proceed to reviewing the following directories:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Windows accesses these directories in top down order at system startup time. Also, SysInternals Autoruns might be of assistance here. Make sure you enable the option to have entries scanned at VirusTotal.

-EDIT- This  Win32_Spy.Agent variant description: https://www.virusradar.com/en/Win32_Spy.Agent.OXJ/description might be more relevant since it shows rundll32.exe running from a Win registry startup location.

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...