Hacktool.TelegramHack.EC
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 14,608 |
| Threat Level: | 50 % (Medium) |
| Infected Computers: | 65 |
| First Seen: | August 28, 2024 |
| Last Seen: | March 31, 2026 |
| OS(es) Affected: | Windows |
Table of Contents
Analysis Report
General information
| Family Name: | Hacktool.TelegramHack.EC |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
1abb7ef9ab461c3996c26ab4689f79fb
SHA1:
52dc52cf0994002e9eff339a0a2932e2d0994130
SHA256:
B87A4B828CB5C4EF73C7BD478822705D3AF8FB582E7E6BAF903BB3CD8EB6AF56
File Size:
1.26 MB, 1257984 bytes
|
|
MD5:
81f3fbf35b0e53a63201bf09fde26ed8
SHA1:
47c95b7a46cb35fafa577b33091bb24044491296
SHA256:
A12EAC8CDAE93D4B7734275403BB96D8F733C3BE9489F4054447696129747C52
File Size:
1.23 MB, 1232896 bytes
|
|
MD5:
62abd1204f524ce716f7776e75e1eb70
SHA1:
a615493f6ffcc9700c7649c63445cf353e08a502
SHA256:
C372D8815B9212465919E04E17439F0AFD35DD3B31AEF42F428126DDF558C963
File Size:
4.02 MB, 4020736 bytes
|
|
MD5:
d9ff8be4aa3d28ffd28ec4e6c8500264
SHA1:
bc788837aca9cbb7fec4a9e07beaca19dc80cebf
SHA256:
7B2524648505FA51A26FEE3511177474F69AB20A77042C1694811ED87D772102
File Size:
560.13 KB, 560128 bytes
|
|
MD5:
3ecaa6ae1ae1c5012924f3f28894d889
SHA1:
1d6c6d66b71e93a630795dd8760c47205bd57467
SHA256:
F1217B184F2495251296722B99C21AD92D62789A388230F75CF868D600CCB178
File Size:
470.02 KB, 470016 bytes
|
Show More
|
MD5:
e503146b1f9613ecdb00194b6ca22dc1
SHA1:
f3a2baababf03b371f863dfda759141495659a02
SHA256:
EEF3EED66AC75F89936AA12A133C992D7E245527876AEEE5EF39F2B3F834ED10
File Size:
2.28 MB, 2280960 bytes
|
|
MD5:
5f8ba87a175a1bb3f1d969331c555900
SHA1:
c82c8b4488b38c52529876c355e6bfe2ed105ecd
SHA256:
26DEC246D2CCCFF13CBCAFBCF16B6534C8F7C1B87DCE194CE8C140584567455E
File Size:
491.52 KB, 491520 bytes
|
|
MD5:
8a169b5d12322647923124061bb05bec
SHA1:
2d47260db882aaff1f65b6a5dbbeeeb66ebc6e68
SHA256:
E7C9207D936D866ABAA15BC6E5EB4FE501616E8B6BA5A26E8F1E86036AB6784D
File Size:
2.42 MB, 2416640 bytes
|
|
MD5:
1d70d62a927f36b5501b2914750941fa
SHA1:
aa04985144411b35cf730092b089eaa7c6027614
SHA256:
4E1D6EF0E8D9573FC806CBE2F50A286771173DBD7835770C8C63BC035E2EBAF5
File Size:
589.31 KB, 589312 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have exports table
- File doesn't have security information
- File has TLS information
- File is 64-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
Show More
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name | Igor Pavlov |
| File Description | LZMA library |
| File Version | 19.00 |
| Internal Name | LZMA |
| Legal Copyright | Igor Pavlov : Public domain |
| Original Filename | LZMA.dll |
| Product Name | 7-Zip |
| Product Version | 19.00 |
File Traits
- fptable
- GetConsoleWindow
- HighEntropy
- imgui
- No Version Info
- VirtualQueryEx
- WriteProcessMemory
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 2,219 |
|---|---|
| Potentially Malicious Blocks: | 165 |
| Whitelisted Blocks: | 1,972 |
| Unknown Blocks: | 82 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
x
0
x
0
0
0
x
0
x
0
0
x
0
x
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
?
0
?
0
0
0
0
?
0
0
0
0
0
0
0
0
x
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
?
0
?
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
x
x
0
0
0
0
0
?
?
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
1
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
1
0
0
0
1
0
0
0
1
x
0
0
0
0
1
0
0
1
0
0
1
0
0
1
0
0
1
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
x
0
0
0
x
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
?
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
?
x
0
0
0
0
0
0
0
?
0
0
x
x
0
0
?
x
x
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
?
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
0
0
x
x
0
x
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
x
0
x
x
0
x
0
0
0
0
0
0
0
0
x
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
x
0
0
0
0
0
0
0
0
0
0
x
?
0
0
0
?
0
x
x
?
x
0
x
x
?
0
x
?
0
?
0
0
0
0
0
0
x
x
x
0
0
0
0
0
x
0
0
x
x
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
x
0
0
0
0
0
1
0
0
x
0
0
x
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
0
0
0
0
0
x
0
0
0
x
0
0
0
0
0
x
x
0
0
x
0
0
0
0
0
x
0
0
0
0
0
x
0
0
0
0
0
x
x
x
0
0
0
0
x
x
x
0
0
0
x
x
x
x
x
0
0
0
x
x
x
x
x
x
0
0
0
x
x
x
x
x
x
0
0
0
x
x
0
0
x
x
x
0
0
0
0
x
x
0
x
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
?
x
x
0
x
x
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
?
0
0
?
?
0
?
?
0
0
?
?
0
?
0
?
?
?
?
?
?
0
0
0
?
?
0
?
?
0
?
?
?
x
?
?
0
x
0
x
?
?
?
?
?
?
?
0
?
?
?
?
?
?
0
0
?
?
?
1
?
0
?
0
?
x
0
0
?
?
?
?
?
?
?
?
x
x
x
x
x
0
0
0
0
0
0
0
x
0
0
0
x
0
0
0
0
?
0
0
0
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
?
0
x
x
0
0
0
0
0
?
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
?
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
?
0
0
?
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Gamehack.EAC
- Gamehack.PS
- Trojan.Kryptik.Gen.BKO
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\namedpipe | Generic Read,Write Attributes |
| \device\namedpipe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\isabelle_new\logs\isabelle-client_log_2025-12-21 (03 06).txt | Generic Write,Read Attributes |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | RegNtPreCreateKey | |
| HKLM\software\microsoft\cryptography\oid\encodingtype 0\cryptdllfindoidinfo\1.3.6.1.4.1.311.60.3.1!7::name | szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION | RegNtPreCreateKey |
| HKLM\software\microsoft\cryptography\oid\encodingtype 0\cryptdllfindoidinfo\1.3.6.1.4.1.311.60.3.2!7::name | szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION | RegNtPreCreateKey |
| HKLM\software\microsoft\cryptography\oid\encodingtype 0\cryptdllfindoidinfo\1.3.6.1.4.1.311.60.3.3!7::name | szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
16 additional items are not displayed above. |
| Process Manipulation Evasion |
|
| Anti Debug |
|
| User Data Access |
|
| Process Shell Execute |
|
| Process Terminate |
|
| Network Winsock2 |
|
| Network Winsock |
Show More
|
| Network Wininet |
|
| Keyboard Access |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\WINDOWS\system32\certutil.exe certutil -hashfile "c:\users\user\downloads\a615493f6ffcc9700c7649c63445cf353e08a502_0004020736" MD5
|
C:\WINDOWS\system32\find.exe find /i /v "md5"
|
C:\WINDOWS\system32\find.exe find /i /v "certutil"
|
C:\WINDOWS\system32\cmd.exe cmd /C "color b && title Error && echo CURL Error: SSL connect error && timeout /t 5"
|
WriteConsole: CURL Error: SSL
|
Show More
C:\WINDOWS\system32\timeout.exe timeout /t 5
|
WriteConsole:
Waiting for 5
|
WriteConsole: seconds, press
|
