Threat Database Backdoors Backdoor.PSW.Agent.CHG

Backdoor.PSW.Agent.CHG

By CagedTech in Backdoors

Analysis Report

General information

Family Name: Backdoor.PSW.Agent.CHG
Signature status: No Signature

Known Samples

MD5: bff6a91e5a9d65fe7576cb074c97ef56
SHA1: 2be336a6d1f23f60c9f04dc2ad8b590bfda64925
File Size: 89.09 KB, 89088 bytes
MD5: 8575d87d98978c5eb8e52939f9dbf424
SHA1: 46b44a0b9c2b91a3ec788d2edf4de3623426cfc1
SHA256: B4C23721E4F2E746F4601814DF07A99145D5F54559FAE9D4B58D4727357183A7
File Size: 94.21 KB, 94208 bytes
MD5: 63e45a8330e446c14bc68f90e0654fc3
SHA1: 6d294f116dc885beb7e71709030bc789df5a64b2
SHA256: 7ABB23F1AF4DE43F9E04BED4E534F4D2367D83B38FDCF3F083551493D9361B4D
File Size: 89.09 KB, 89088 bytes
MD5: fc7d98f8130d9a711e9a536309cc19d4
SHA1: 15eff1f3ea82ef85e647367189170350a32470ab
SHA256: 385B55AEC72B8C2DA8632B8B128C9DEC44DF8DC017A1730EDB99AAFE9CAD2792
File Size: 89.09 KB, 89088 bytes
MD5: 4bc9796527b80cbc9d7d31ebfa659601
SHA1: 4262216cbbe0300760382f385fa380e0c067bb9e
SHA256: AA20F26BAE240FD10748B851C30B7D7BADAFF683915FC75AE67B2C36EC146C34
File Size: 94.21 KB, 94208 bytes
Show More
MD5: 6d57fad406a1563bc07bac2c7b523e3e
SHA1: 2cd5862d68a39d32f9cf834503639a8f96c0c8eb
SHA256: FEB6E09D9C3E792766EA7E679130996F4E5FA5CFF9C87F48F06126B9933A3832
File Size: 94.21 KB, 94208 bytes
MD5: 166831125841c5e917b7563c5d5051dd
SHA1: 9707ffc9707b2489f00041b0aeeeb5745aa81722
SHA256: E1B957A7AED574DE95BCAD77251FF30C1D80B10ED6248057B84078057E6F920D
File Size: 94.21 KB, 94208 bytes
MD5: fcebdb2c568ba9e049efc4c134ef46cb
SHA1: 3ab18118f03ea8df5225da6e8b8b7672e0d193d5
SHA256: 5ED9C7CAA9D68D32A89E92737A6315C2F88E80F774F1A931576D676911695BBF
File Size: 94.21 KB, 94208 bytes
MD5: 822f9803788eb3be0d93974e50eee3da
SHA1: 07903b243d4b8cef387cf012aedae18034d2c333
SHA256: 292E2598D5C79058EABDA41F3604316D4820EB6922B9DE0186FDF676A3025D2A
File Size: 94.21 KB, 94208 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have security information
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Traits

  • No Version Info
  • x64

Block Information

Total Blocks: 203
Potentially Malicious Blocks: 26
Whitelisted Blocks: 177
Unknown Blocks: 0

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x 0 x 0 0 x x x x 0 0 x x x x 0 x x 0 0 x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 1 x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 1 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • PSW.Agent.CHG

Files Modified

File Attributes
c:\users\user\downloads\error_log.txt Generic Write,Read Attributes
c:\users\user\downloads\info_log.txt Generic Write,Read Attributes

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryVirtualMemory
Show More
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetThreadState
Other Suspicious
  • AdjustTokenPrivileges

Trending

Most Viewed

Loading...