Backdoor.PSW.Agent.LDA
Table of Contents
Analysis Report
General information
| Family Name: | Backdoor.PSW.Agent.LDA |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
356172146fc8c6d37f067175dcc9d9db
SHA1:
2a5f30673f3099ab9d712897c056786492474551
SHA256:
072EE0C0C6B1D34D420EDE748A2A81DE1B48B59ED956E415A7DBC9FE0502A422
File Size:
1.99 MB, 1992192 bytes
|
|
MD5:
8119ca3a8ecf82784604281144657f9f
SHA1:
24eee9567c957d3d5fdc7b3a9876f6bf00fbd13a
SHA256:
51BF06AE54849861CC44A755BF58968BFFB44530843CFF05BD62E551C1C2161C
File Size:
1.97 MB, 1966592 bytes
|
|
MD5:
e381c33516f64a87ddbf869240eac84b
SHA1:
724ca892868bc7fa7c36075f29af7e5b8f755c3c
SHA256:
4DBA30B86F6576CF4D043F460317E3BEA356A1FD68DBB522E492F965ED22116E
File Size:
2.06 MB, 2059264 bytes
|
|
MD5:
88ae6faad5002b4a88340b02fbb11c78
SHA1:
4ecda3a9f3ee9cab8d06dff80184ebd490c96afe
SHA256:
5E6DFFEF90710A2FFE0BAF6D2C238F67A550198AED112D73D01ED94E78221E47
File Size:
2.30 MB, 2300016 bytes
|
|
MD5:
3ab72d0f42b6c0a582298d778df41d41
SHA1:
e4d2597534987416d72023af1d0b4e0aa2386ea9
SHA256:
BF0C1155122F8C87E747E40FFE999423DFBF191D6E3919E06FCAADCAD472A5B2
File Size:
2.03 MB, 2032640 bytes
|
Show More
|
MD5:
a7116b05447ce0a9dadaacf3a87c3694
SHA1:
12f53424032494a383bd2ba031099bf5dcdb7199
SHA256:
99C98AA346D03D789FE8CC3762FC15BA173D6A9B932FA4CF5FAF92B876D7DACA
File Size:
1.97 MB, 1966080 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have exports table
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 64-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
Show More
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Areeb Ahmed Code Signing LLC | Areeb Ahmed Code Signing LLC | Self Signed |
File Traits
- dll
- Pastebin
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 6,466 |
|---|---|
| Potentially Malicious Blocks: | 426 |
| Whitelisted Blocks: | 5,468 |
| Unknown Blocks: | 572 |
Visual Map
?
0
0
?
0
0
0
0
0
?
?
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
?
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
?
1
0
0
1
0
0
0
0
0
0
1
0
0
1
0
0
1
0
0
0
0
0
0
0
1
0
0
0
1
0
0
0
1
0
0
1
0
0
0
0
0
1
0
0
0
0
0
1
0
0
1
0
0
1
0
0
0
1
0
0
0
0
0
1
0
0
1
0
0
0
0
0
1
0
0
1
0
0
x
0
0
0
0
0
0
x
x
x
x
x
x
x
x
0
?
0
0
0
?
0
x
0
x
0
0
0
1
0
x
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
x
0
0
?
0
0
x
?
?
0
x
x
0
0
0
0
0
0
0
?
0
?
?
0
?
?
?
?
?
0
?
0
0
0
?
?
?
?
0
?
?
?
?
?
?
?
0
?
0
?
?
0
?
0
?
?
x
?
?
x
x
1
0
0
0
0
0
0
0
x
?
0
?
?
0
?
0
0
?
0
0
0
0
0
0
?
0
0
0
0
?
0
0
0
?
?
0
0
0
?
0
0
0
0
?
?
0
?
?
?
0
0
0
?
?
0
0
0
0
?
0
?
0
?
?
0
?
0
0
0
0
0
0
0
0
0
0
x
x
?
0
0
?
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
?
?
?
0
?
?
0
0
?
0
0
0
0
0
?
x
0
0
0
x
x
x
0
0
0
?
0
0
0
?
?
0
0
0
x
0
0
0
x
x
x
x
?
0
x
0
0
0
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
1
0
x
0
0
0
0
0
0
0
0
1
0
0
0
0
x
0
0
0
x
0
0
0
0
0
x
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
?
0
0
0
0
0
0
0
0
?
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
x
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
0
0
x
?
0
x
0
0
1
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
?
x
0
x
x
?
?
0
0
0
0
1
0
?
?
0
0
0
0
1
0
0
0
0
0
0
1
0
x
x
0
0
x
x
0
x
0
0
x
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
?
0
0
0
x
0
0
0
x
0
0
0
0
0
0
0
0
?
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
0
?
x
x
x
x
0
0
0
0
0
?
x
x
x
x
x
x
x
0
0
0
0
x
?
x
x
0
0
0
?
x
0
0
x
x
0
1
?
x
0
0
?
?
?
x
?
0
?
?
0
x
0
0
0
0
0
0
0
0
?
?
x
?
?
x
0
x
x
0
0
0
0
0
0
?
0
?
0
x
0
0
0
0
0
x
1
x
0
x
0
0
x
0
x
x
0
?
x
x
x
x
0
0
0
0
?
?
?
0
?
x
x
x
?
x
?
x
x
0
x
0
x
0
0
0
x
x
x
x
x
0
?
x
x
?
x
x
x
x
x
x
x
0
0
0
x
x
0
0
0
x
0
0
?
0
x
0
0
0
x
0
x
0
0
0
x
0
0
x
0
0
0
1
0
0
0
0
0
0
0
?
?
?
?
x
x
x
0
x
?
0
x
0
0
0
0
0
0
1
0
0
0
0
1
0
0
0
0
x
0
0
0
0
0
0
0
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
0
x
0
0
0
x
0
0
x
x
0
x
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
?
0
0
x
0
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
0
?
0
0
0
x
0
0
0
0
0
x
0
0
0
x
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
x
0
x
0
0
0
0
0
?
x
0
0
0
0
0
0
0
1
?
?
0
0
0
0
?
0
0
x
0
0
0
0
x
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
x
0
0
x
0
x
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
0
0
0
0
?
?
?
0
x
x
x
0
0
x
x
x
x
0
0
0
0
0
0
0
?
?
?
?
?
?
0
0
x
x
0
0
0
0
0
0
?
x
?
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
0
x
0
x
x
x
0
0
0
0
0
?
0
x
?
0
0
0
1
x
0
0
x
x
0
0
?
0
0
0
?
0
0
0
x
0
0
x
0
0
0
0
0
?
0
0
0
x
0
x
0
0
x
0
0
0
0
x
x
0
0
0
0
0
x
x
x
0
0
x
?
0
x
?
0
x
x
x
0
x
?
x
0
?
x
x
0
0
x
x
x
x
0
?
?
?
0
?
?
?
?
0
?
x
x
?
0
?
0
0
0
0
0
x
x
x
x
0
0
x
x
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
x
0
0
0
x
x
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
x
x
0
0
0
?
0
0
0
?
?
0
0
0
0
0
0
x
0
x
0
x
0
0
x
0
0
x
0
x
0
x
x
x
x
0
0
x
x
0
0
x
x
0
0
x
x
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
1
0
0
0
0
x
0
0
0
x
x
0
0
0
x
?
?
0
?
x
0
0
0
0
x
?
0
0
?
?
?
0
x
x
0
0
0
0
0
0
0
?
0
?
0
0
0
0
0
?
0
0
0
0
?
0
0
0
?
x
0
x
?
0
0
0
?
?
0
?
?
0
0
0
?
?
0
0
0
?
?
0
0
?
0
?
?
?
0
?
?
?
x
x
?
x
x
0
0
?
?
0
0
?
1
0
0
x
x
x
x
x
x
0
0
0
0
0
0
?
?
?
0
x
?
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
x
x
0
0
x
x
x
0
x
x
0
0
x
x
0
0
0
0
0
0
0
0
x
x
x
0
x
x
x
0
0
x
x
0
0
?
?
?
0
0
0
0
0
0
x
0
x
x
0
0
0
x
x
0
0
0
x
x
x
?
0
0
0
0
0
x
?
0
0
0
x
0
0
0
0
?
?
x
0
0
?
0
?
0
0
0
0
x
0
0
0
x
0
0
0
0
x
0
0
?
0
0
0
x
?
0
0
0
0
0
?
0
0
0
0
0
x
0
0
0
0
0
?
?
0
x
?
0
0
0
0
x
x
0
0
0
0
?
0
x
x
?
x
0
0
x
x
?
x
0
0
x
x
x
x
?
x
0
0
0
x
x
0
0
0
0
0
0
?
0
0
0
0
1
0
0
0
0
0
0
x
0
0
0
0
0
0
0
?
0
0
0
x
?
0
?
0
x
0
0
0
0
0
0
0
0
0
0
0
?
x
0
0
0
0
0
0
0
0
0
0
0
0
x
?
0
0
0
0
0
0
x
?
0
0
?
0
0
0
0
?
0
x
0
0
0
0
0
0
0
0
x
?
x
0
x
x
0
?
0
0
x
0
?
0
0
0
0
0
0
0
0
x
x
?
0
0
0
0
0
0
0
0
0
0
?
0
x
x
0
x
?
0
0
0
0
0
0
0
0
x
0
x
x
0
x
0
x
0
?
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
1
x
0
0
0
x
0
0
x
?
1
0
0
?
?
0
0
0
0
0
?
0
0
?
x
x
0
x
?
0
0
x
?
1
0
0
x
?
0
0
0
0
0
0
0
0
0
0
?
x
?
?
?
x
0
0
0
0
0
0
x
?
0
0
0
0
0
0
0
x
?
0
x
x
0
0
x
?
0
0
x
x
0
0
0
0
x
x
x
0
0
x
0
0
0
x
x
0
0
x
0
0
0
?
0
0
0
0
x
x
x
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
?
0
0
x
0
0
0
0
0
0
0
0
?
0
?
?
0
0
0
0
0
?
0
0
0
0
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\namedpipe\yubx_4884 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| \device\namedpipe\yubx_5012 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| \device\namedpipe\yubx_5516 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| \device\namedpipe\yubx_7584 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
14 additional items are not displayed above. |
| Encryption Used |
|
