Malware

How to remove “Win32/Agent.NHB”?

Malware Removal

The Win32/Agent.NHB is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Win32/Agent.NHB virus can do?

  • Attempts to connect to a dead IP:Port (3 unique times)
  • Possible date expiration check, exits too soon after checking local time
  • Starts servers listening on 0.0.0.0:3159
  • Drops a binary and executes it
  • Performs some HTTP requests
  • A process attempted to delay the analysis task by a long amount of time.
  • Installs itself for autorun at Windows startup
  • Creates a hidden or system file
  • Checks the presence of disk drives in the registry, possibly for anti-virtualization
  • Creates a copy of itself
  • Makes SMTP requests, possibly sending spam or exfiltrating data.
  • Creates a slightly modified copy of itself

Related domains:

qanrmqnprn.info
ma1-aaemail-dr-lapp01.apple.com
ma1-aaemail-dr-lapp02.apple.com
ma1-aaemail-dr-lapp03.apple.com
rn-mailsvcp-ppex-lapp14.apple.com
rn-mailsvcp-ppex-lapp15.apple.com
rn-mailsvcp-ppex-lapp24.apple.com
rn-mailsvcp-ppex-lapp34.apple.com
rn-mailsvcp-ppex-lapp35.apple.com
rn-mailsvcp-ppex-lapp44.apple.com
rn-mailsvcp-ppex-lapp45.apple.com
pb-mx20.pobox.com
mx01.oxsus-vadesecure.net
mxa-00377f03.gslb.pphosted.com
mxb-00377f03.gslb.pphosted.com
mx02.oxsus-vadesecure.net
mxb-00377f01.gslb.pphosted.com
mx03.oxsus-vadesecure.net
mx04.oxsus-vadesecure.net
mx.cam.ac.uk
ismtp.sitestar.everyone.net
mqprparnws.in
arnqarwmsn.com
onlineconnections.com.au
hqqhmeqhes.net
mx2-lw-us.apache.org
mx1-lw-us.apache.org
mx1-lw-eu.apache.org
mx2-lw-eu.apache.org
phhpqhqaqh.in
sanppqeqsa.biz
aawemqshra.com
mhwqeramar.in
nqrwnmsmpn.us
eqmmrhsmsh.ws
paqhmsphpn.in
msenmmqrna.in
qpmrpawwhh.info
sqmnnsppah.biz
mxbiz1.qq.com
rpnraaswhh.org
wpweweaeea.in
digicool.com
qapsramhma.info
epqwhmwswa.ws
aarrnepnsh.com
smmrhhpwms.biz
ahmqsnmwnh.com
mail.python.org
eremwwqwah.ws
aasanwwrqn.com
hrnnsmsnen.net
in2-smtp.messagingengine.com
in1-smtp.messagingengine.com

How to determine Win32/Agent.NHB?



File Info:

crc32: 54330901
md5: 2f8f8012ebb28563cc02c5fd13331a77
name: 2F8F8012EBB28563CC02C5FD13331A77.mlw
sha1: 1a2fbf934df02869dc7a563501835e1feb5f6b5c
sha256: 0ea327b5a6eb09b51bd1337c2b29e9fd4cbfa11a083736b47188884ffca7e2bf
sha512: 92326e07db24f96b8f56e5b2b4f7d19dfcaa255592ec0de3f38ee585d5fa50d8a9038f65924b4b39125254ec234783beb003057289bcc995e1edf2afcd10f18c
ssdeep: 3072:rOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPP:rIs9OKofHfHTXQLzgvnzHPowYbvrjD/
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows


Version Info:

0: [No Data]

Win32/Agent.NHB also known as:

BkavW32.AIDetectVM.malware1
K7AntiVirusTrojan ( 004d7c651 )
DrWebTrojan.DownLoader8.56532
CynetMalicious (score: 100)
CAT-QuickHealTrojan.Small.S5091480
ALYacTrojan.GenericKDZ.66635
MalwarebytesWorm.MyDoom
ZillyaDropper.Mudrop.Win32.4765
SangforMalware
CrowdStrikewin/malicious_confidence_100% (W)
AlibabaTrojanDropper:Win32/Small.cb3233f2
K7GWTrojan ( 004d7c651 )
Cybereasonmalicious.2ebb28
TrendMicroTROJ_GEN.R002C0DE620
CyrenW32/S-e4365596!Eldorado
SymantecW32.Mydoom.B@mm
ESET-NOD32a variant of Win32/Agent.NHB
APEXMalicious
AvastWin32:Mydoom-BJ [Wrm]
ClamAVWin.Dropper.Mudrop-6801241-0
GDataTrojan.GenericKDZ.66635
KasperskyTrojan.Win32.Small.acli
BitDefenderTrojan.GenericKDZ.66635
NANO-AntivirusTrojan.Win32.Mudrop.ijmve
SUPERAntiSpywareTrojan.Agent/Gen-MalPE
MicroWorld-eScanTrojan.GenericKDZ.66635
TencentMalware.Win32.Gencirc.10b0c1b8
Ad-AwareTrojan.GenericKDZ.66635
SophosMal/Behav-104
ComodoPacked.Win32.MUPX.Gen@24tbus
F-SecureTrojan.TR/Proxy.Gen
BitDefenderThetaAI:Packer.4BC13D7B1D
VIPREBehavesLike.Win32.Malware.ssc (mx-v)
Invinceaheuristic
Trapminemalicious.high.ml.score
FireEyeGeneric.mg.2f8f8012ebb28563
EmsisoftTrojan.GenericKDZ.66635 (B)
F-ProtW32/S-e4365596!Eldorado
Endgamemalicious (high confidence)
AviraTR/Proxy.Gen
Antiy-AVLTrojan[Dropper]/Win32.Mudrop
MicrosoftTrojan:Win32/Mydoom
JiangminTrojanDropper.Mudrop.bpo
ArcabitTrojan.Generic.D1044B
AegisLabTrojan.Win32.Small.tpLR
ZoneAlarmTrojan.Win32.Small.acli
TACHYONTrojan/W32.Agent.121344.BDA
AhnLab-V3Dropper/Win32.Mudrop.C84237
Acronissuspicious
McAfeeW32/Mytob.gen@MM.i
MAXmalware (ai score=80)
VBA32BScope.Trojan-Spy.Zbot
PandaW32/MyDoom.IC.worm
TrendMicro-HouseCallTROJ_GEN.R002C0DE620
RisingTrojan.Agent!1.C364 (CLOUD)
YandexTrojan.DR.Mudrop!8eYttnhsld8
SentinelOneDFI – Malicious PE
eGambitUnsafe.AI_Score_100%
FortinetW32/Agent.NHB!worm
AVGWin32:Mydoom-BJ [Wrm]
Qihoo-360Win32/Trojan.8e6

How to remove Win32/Agent.NHB?

Win32/Agent.NHB removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment