SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  AdAnti.H_1
AdAnti.H_1 is a Virus. Virus is a type of malware that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive

Mutexes created
  • {37411D8D-D76A-4F83-B070-E5E25D057048}-32


Directory level activity
  • create - dir - C:\Documents and Settings\TestMachine\Application Data\FZip


File level activity
  • delete - file - C:\Documents and Settings\TestMachine\Application Data\FZip\skin.dat
  • write - file - C:\Documents and Settings\TestMachine\Application Data\FZip\skin.dat


Registry level activity
  • write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersAppData


Library level activity
  • load - library - api-ms-win-core-synch-l1-2-0
  • load - library - kernel32
  • load - library - api-ms-win-core-fibers-l1-1-1
  • load - library - api-ms-win-core-localization-l1-2-1
  • load - library - kernel32.dll
  • load - library - ntdll
  • load - library - C:\WINDOWS\system32\uxtheme.dll
  • load - library - uxtheme.dll
  • load - library - api-ms-win-appmodel-runtime-l1-1-1
  • load - library - ext-ms-win-kernel32-package-current-l1-1-0
  • load - library - Kernel32.dll
  • load - library - ADVAPI32.DLL
  • load - library - ws2_32
  • load - library - C:\WINDOWS\system32\WINHTTP.dll
  • load - library - wintrust.dll
  • load - library - schannel
  • load - library - crypt32
  • load - library - mscoree.dll


Process API calls used
  • NtCreateSection
  • ZwMapViewOfSection
  • NtFreeVirtualMemory
  • ExitProcess


Registry API calls used
  • RegCreateKeyExW
  • RegQueryValueExW
  • RegCloseKey
  • RegSetValueExW
  • RegOpenKeyExA
  • RegQueryValueExA
  • RegOpenKeyExW
  • RegOpenKeyExA


System API calls used
  • LdrLoadDll
  • LdrGetProcedureAddress
  • LdrGetDllHandle
  • IsDebuggerPresent
  • NtDelayExecution
  • LdrGetDllHandle


Filesystem API calls used
  • NtCreateFile
  • NtDeviceIoControlFile
  • DeleteFileW
  • CreateDirectoryW
  • NtWriteFile
  • NtQueryInformationFile
  • NtSetInformationFile

Network

UDP source >> destination
  • 192.168.30.6 >> 192.168.30.254
  • 192.168.30.6 >> 8.8.8.8


TCP source >> destination
  • 192.168.30.6 >> 47.114.86.195



Domains:
  • fbq.52ff.cn with IP - 47.114.86.195

DNS Request:
  • fbq.52ff.cn

HTTP Request:
  • POST URI - http://fbq.52ff.cn:857/api/update/get
  • POST URI - http://fbq.52ff.cn:857/api/update/report

DLL related data
Number of DLL's imported = 9
  • SHLWAPI.dll
  • WINHTTP.dll
  • IPHLPAPI.DLL
  • PSAPI.DLL
  • KERNEL32.dll
  • USER32.dll
  • ADVAPI32.dll
  • SHELL32.dll
  • VERSION.dll

Relevant Information


© SonicWall 2020 | Privacy Policy | Conditions for use Version: 10.0