Backdoor.MSIL.DllInject.XSC
Table of Contents
Analysis Report
General information
| Family Name: | Backdoor.MSIL.DllInject.XSC |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
d02a3c5a0c2c88728e215831fe5f014f
SHA1:
e4eb80e4d89ef98ee4468b815b4e7eaeebde975f
SHA256:
E5D8A5964F23D808C8E6E64DEC279C54F2ED7F0D053CB0DE06EF0AF1E39BCFA3
File Size:
5.38 MB, 5381632 bytes
|
|
MD5:
877af60059f7c1d0be4202b71abb4cc9
SHA1:
c72405275f8ec4aeb46456ea64690a4b5a0a0634
SHA256:
5087F183B761E396D616DB0EEF9DE60FB91492622A44576BF1C8414DD0637560
File Size:
4.07 MB, 4072960 bytes
|
|
MD5:
3c7c7af46e87484b978390630d91b2cb
SHA1:
9cfc567650a2efc5f8ba9d21c3d315700ab2b1be
SHA256:
175314F18D497FF293E59937B5247F70B727A96787F8EF476FC385281AC7818E
File Size:
3.49 MB, 3488256 bytes
|
|
MD5:
c50da9cac8b2741cb40a4b3c281d11b1
SHA1:
675c3efffa588530cd99ac904a586b751c98ad37
SHA256:
A8049503B14698E9299506763061868235D1A1BE8E15163F1CFA2A54B708F047
File Size:
6.23 MB, 6231040 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File is .NET application
- File is 32-bit executable
- File is 64-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Assembly Version |
|
| Comments | IMMORTAL |
| Company Name | IMMORTAL |
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| Original Filename |
|
| Product Name |
|
| Product Version |
|
File Traits
- .NET
- Agile.net
- Confuser
- CreateThread
- Fody
- HighEntropy
- VirtualQueryEx
- WriteProcessMemory
- x64
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 1,384 |
|---|---|
| Potentially Malicious Blocks: | 926 |
| Whitelisted Blocks: | 333 |
| Unknown Blocks: | 125 |
Visual Map
0
x
x
x
x
0
0
x
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
?
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
0
0
x
x
x
x
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
x
x
x
0
0
x
0
0
x
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
x
x
x
x
x
0
0
x
0
0
0
x
x
0
0
x
x
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
x
x
x
x
x
x
x
x
x
x
0
0
x
x
x
x
x
x
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
x
x
x
x
0
x
x
0
0
x
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
x
x
0
x
x
0
0
0
0
0
x
0
x
x
0
x
x
x
x
0
?
x
x
x
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
x
?
?
?
?
x
?
?
?
?
?
?
?
?
?
?
?
?
x
?
?
?
?
?
x
x
?
?
?
x
?
x
?
?
?
?
x
?
?
?
?
x
x
x
?
x
x
?
x
x
?
?
x
?
?
?
?
?
?
x
x
0
0
x
0
0
?
?
x
?
?
?
?
0
0
?
?
?
?
?
x
x
x
?
?
?
x
x
x
x
x
x
x
?
?
?
?
?
?
?
?
x
?
x
?
x
x
?
?
?
x
?
?
?
?
?
x
?
?
?
?
x
x
?
x
?
x
x
?
?
?
x
?
?
?
?
?
x
?
?
?
?
x
?
?
x
?
x
x
x
x
?
?
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
?
x
x
?
x
?
0
0
x
?
?
x
?
x
x
x
0
x
x
0
x
0
x
x
x
x
x
x
x
x
x
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- MSIL.DllInject.XSC
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
| User Data Access |
|
| Anti Debug |
|
| Encryption Used |
|
