Threat Database Adware Adware.Koala.A

Adware.Koala.A

By CagedTech in Adware

Analysis Report

General information

Family Name: Adware.Koala.A
Signature status: No Signature

Known Samples

MD5: c54c8964e17bd72ceaa9d8c5859faee3
SHA1: d63062649d54a9030d6026f6b7ab819424c60053
SHA256: B9B61E856B38934A1068CA4508CB681E767F5E4AE1B9A902180A53053D684064
File Size: 8.13 MB, 8131072 bytes
MD5: ac25651451fcc10a00e882da654b9e58
SHA1: e65887525cb6a9a62b35502781eff866633a6548
SHA256: D2E1A2727F7E07635BDA170C47881968A2CB3EFBBB2256ECE8F36057B5E10A51
File Size: 3.64 MB, 3637248 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
Show More
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name https://juij.fun & 公众号/bilibili:非线性列车 [编译优化]
File Description 解锁 Steam DLC
File Version 2.0.7
Internal Name SmokeAPI
Legal Copyright https://juij.fun & 公众号/bilibili:非线性列车 [编译优化]
Original Filename SmokeAPI.dll
Product Name SmokeAPI
Product Version 2.0.7

File Traits

  • dll
  • fptable
  • HighEntropy
  • No Version Info
  • ntdll
  • WriteProcessMemory
  • x64

Block Information

Total Blocks: 12,109
Potentially Malicious Blocks: 1,211
Whitelisted Blocks: 10,632
Unknown Blocks: 266

Visual Map

0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 0 1 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 x x 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 ? 0 0 0 0 0 0 0 0 1 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 ? ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 ? 0 0 x 0 0 0 0 0 0 ? ? 0 0 0 0 ? ? x 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 1 0 0 ? x ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? x 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 x 0 x 0 x 0 x 0 x 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 ? 0 0 x 0 0 ? 0 0 0 0 0 ? 0 0 x 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 ? 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x ? 0 x ? 0 x ? 0 0 ? 0 ? ? ? ? ? ? ? ? ? ? x ? 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? ? 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 x ? x 0 0 0 0 0 0 0 0 0 0 ? 0 x 0 0 ? 0 0 ? 0 x 0 x 0 x 0 x 0 x ? 0 x ? 0 x ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 ? 0 0 ? 0 0 0 0 0 0 0 ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 ? 0 0 x 0 0 ? 0 0 0 0 0 ? 0 x 0 0 0 0 0 0 0 0 0 0 0 x ? 0 0 0 0 ? 0 0 0 x 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 ? 0 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 x x x x 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 1 0 0 0 0 x 0 x 0 x 0 0 0 0 ? 0 ? ? ? 0 ? 0 0 0 0 0 1 x 0 0 0 ? 0 x 0 x 0 x 0 x 0 x 0 ? 0 x 0 ? 0 ? 0 0 0 ? ? ? ? 0 ? ? 0 ? ? 0 0 0 0 0 0 x 0 0 0 0 ? ? 0 ? ? ? 0 ? 0 0 0 0 0 0 0 1 0 0 0 x 0 0 x 0 x 0 ? 0 x x 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 x x ? ? ? ? ? ? ? 0 ? 0 0 0 ? 0 x 0 x 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 x 0 x 0 0 ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? 0 ? 0 ? ? ? 0 ? 0 ? ? 0 0 0 0 ? ? 0 0 0 0 0 0 ? x x 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x ? x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 x ? ? 0 ? x x 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 x x ? x 0 0 0 0 x x x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 ? x 0 x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 x 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 ? ? x 0 ? 0 0 0 0 x ? ? 0 0 ? ? ? 0 0 ? ? x x x x 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 ? 0 ? ? x ? x 0 0 x 0 x 0 x 0 0 0 0 x 0 0 0 0 0 0 0 x x 0 x x x x x x 0 0 0 x 0 x 0 x 0 x 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x 0 0 0 x ? x 0 ? ? 0 0 0 0 0 0 x x 0 x 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 x x x 0 x 0 0 0 x x 0 0 0 ? 0 x 0 0 0 ? 0 0 x 0 0 0 0 0 0 0 x 0 0 0 x x 0 0 0 0 0 0 x 0 x x 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Koala.A

Files Modified

File Attributes
c:\users\user\downloads\juij_6\_÷ÿl}_m#ð.txt Generic Write,Read Attributes

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
Show More
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetThreadState

Trending

Most Viewed

Loading...