Multi-License Discount Quote

Change Region

English
Threat Database Backdoors Backdoor.MSIL.Agent.THB

Backdoor.MSIL.Agent.THB

By CagedTech in Backdoors

Analysis Report

General information

Family Name: Backdoor.MSIL.Agent.THB
Signature status: Hash Mismatch

Known Samples

MD5: 8434d8db5c955c69cbd522dfa42b45eb
SHA1: 61554c5cdf56f04eabd255e3191c3d4da9d3469a
SHA256: E2751B7B1E4CD7F51753F7CA1B405DB916C80C329AB93D9A1C988BC3999E876F
File Size: 4.19 MB, 4188000 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File is .NET application
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version 1.8.5.0
Comments Ashampoo Driver Updater
Company Name Ashampoo
File Description Ashampoo Driver Updater
File Version 1.8.5.0
Internal Name ashpdu.exe
Legal Copyright Ashampoo GmbH & Co. KG
Original Filename ashpdu.exe
Product Name Ashampoo Driver Updater
Product Version 1.8.5.0

Digital Signatures

Signer Root Status
Ashampoo GmbH & Co. KG GlobalSign Code Signing Root R45 Hash Mismatch

File Traits

  • .NET
  • RijndaelManaged
  • x86

Block Information

Total Blocks: 475
Potentially Malicious Blocks: 155
Whitelisted Blocks: 87
Unknown Blocks: 233

Visual Map

x x ? x x x 0 x x x 0 x x x 0 ? ? x ? x ? 0 x ? ? ? ? ? x ? ? ? 0 x ? ? ? ? ? ? ? 0 ? x x ? x ? ? x ? 0 x x x x x ? ? ? x ? ? x x x 0 ? ? x ? x ? ? ? ? x x x x ? ? ? ? ? ? x x ? 0 x x ? x ? ? ? x 0 x ? ? ? ? ? x ? x x ? 0 ? 0 x x ? x ? ? 0 0 0 0 0 0 0 0 0 ? 0 x ? ? ? ? x x 0 x ? ? ? ? ? x x x x ? ? ? ? ? x ? ? ? ? ? ? ? x x ? x ? ? ? ? ? ? ? ? ? ? ? ? x ? ? x ? x ? ? ? ? ? ? ? ? ? x ? ? x ? x ? ? ? ? ? x ? ? x ? ? ? x ? x ? ? ? ? ? x x 0 ? ? x ? x 0 x x x 0 x x x ? 0 ? ? x ? x ? x ? ? x ? ? ? ? ? ? ? ? x x ? x x ? ? ? x x 0 0 ? ? ? ? ? ? x ? 0 x ? ? ? x x ? ? x ? ? ? x ? ? ? ? ? x x ? x ? ? x x x x x ? x ? ? ? ? x 0 0 0 x x x x 0 x x x x ? x x ? ? ? ? x x x x ? ? x x x x x x ? x x 0 0 x 0 ? x x x x x ? ? 0 ? ? x x ? ? ? ? ? ? 0 x ? ? x ? ? ? ? ? x x ? ? x x x ? ? ? x ? ? ? x ? ? x 0 0 0 0 ? x x x 0 ? 0 ? ? 0 ? ? x ? x ? ? ? ? ? ? ? ? ? ? ? x x x ? ? ? 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\357f04ad41bcf5fe18fcb69f60c6680f_84a6276ee287248b10d25b904bce651e Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\9cb4373a4252de8d2212929836304ec5_1ab74aa2e3a56e1b8ad8d3fec287554e Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\357f04ad41bcf5fe18fcb69f60c6680f_84a6276ee287248b10d25b904bce651e Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\9cb4373a4252de8d2212929836304ec5_1ab74aa2e3a56e1b8ad8d3fec287554e Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\appcompat\programs\amcache.hve Read Data,Read Control,Write Data
c:\windows\appcompat\programs\amcache.hve Write Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\system\software\microsoft\tip\aggregateresults::data 隞̃鄁耀꧌ňǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAdjustPrivilegesToken
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreateResourceReserve
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcDisconnectPort
  • ntdll.dll!NtAlpcQueryInformation
Show More
  • ntdll.dll!NtAlpcQueryInformationMessage
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeleteValueKey
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtLoadKeyEx
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryEvent
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtQueueApcThread
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetSecurityObject
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtTraceEvent
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx

9 additional items are not displayed above.

User Data Access
  • GetUserObjectInformation
Anti Debug
  • IsDebuggerPresent
Encryption Used
  • BCryptOpenAlgorithmProvider
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Process Shell Execute
  • CreateProcess

Shell Command Execution

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\dw20.exe dw20.exe -x -s 1812

Trending

Most Viewed

Loading...