Trojan.Confuser

O Trojan.Confuser é um software ameaçador, capaz de se injetar em um sistema. Os usuários de computador que encontram o Trojan.Confuser nas suas máquinas podem receber avisos falsos alegando que as suas máquinas foram infectadas por um vírus. O Trojan.Confuser pode alterar as políticas de permissão e também pode modificar o Registro do Windows. Em muitos casos, o Trojan Confuser acaba sendo instalado porque o usuário não percebe que ele tem uma intenção prejudicial. A distribuição dessa ameaça provavelmente está relacionada a falsas atualizações do Windows, bem como à instalação de programas de terceiros feitos para visualizar uma página da Web e vídeos, o download de aplicativos de terceiros, o clique em banners e anúncios, bem como o download de anexos ou arquivos através da mídia social.

O Trojan.Confuser também pode exibir mensagens de aviso descrevendo arquivos de sistema do Windows corrompidos. A remoção desses arquivos pode comprometer os sistemas afetados ou até mesmo travá-los. Os usuários de computador devem ter em mente que esses resultados de digitalização e os problemas descritos nas mensagens pop-up são falsos. O Trojan.Confuser também pode desabilitar software instalado no seu PC, tal como um aplicativo anti-vírus ou até mesmo o firewall do Windows. As configurações do navegador também podem ser afetadas para que ele possa ocultar a sua presença em um sistema. O Trojan.Confuser pode mostrar alertas de segurança semelhantes aos listados abaixo:

"Aviso: seu computador está infectado
Infecção por spyware detectada!
Clique nesta mensagem para instalar a última atualização do software de segurança…"

Índice

Toggle

SpyHunter detecta e remove Trojan.Confuser

Relatório de análise

Informação geral

Family Name:	Trojan.Confuser
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: 9ebbe4f78a508707c98b11cb27ce3076 SHA1: c03873c249c2f0bf7fc945ad1e155ee7f2023378 Tamanho do Arquivo: 59.90 KB, 59904 bytes

MD5: 1622cf46a2d785684706a888f554cba4 SHA1: dc2268ff0e1884d53ea87bab46ea6b66c4e78350 SHA256: 1ED4A80F08E932ED21B1F3DE372286DDB93D76A7D4CF943A4C326EC80B56EA61 Tamanho do Arquivo: 2.21 MB, 2212864 bytes

MD5: 5dfae2b96d8bc6790c29ec2ac85afe99 SHA1: db05a87beb16572c793142c9bc5e42e8cc37b063 SHA256: DFCFDB44CD6A19CA1A215DEDD9B90962141D31369867983345E6550D2D750996 Tamanho do Arquivo: 6.89 MB, 6886400 bytes

MD5: ccc24fa5f1bbb814e0c2544a73f806c7 SHA1: 105f091d0b90576748f58e92e11692f197d79bc1 SHA256: 999B6EFD21046A473816F0059FD07ED6D902C85D4AEBD978E81F629E4DEAE259 Tamanho do Arquivo: 5.30 MB, 5298688 bytes

MD5: 109d2c10f99e618a8b368f7b68e0d747 SHA1: baccf9b1a60f48d08df01249a2d5b8db3f83345d SHA256: 7DBAAE7A1111F93CC22784ECAF5E7D187EC1B8AB6B5525BBFA0D6B3460A37582 Tamanho do Arquivo: 165.89 KB, 165888 bytes

Show More

MD5: dda653586f0f81afffba9daabe344b92 SHA1: 5d0b808bc05e3940341a5cefab00b0c6229ac483 SHA256: D6D095EA74CD76D710EAC508CA73858FB1994624E78EC7B182C40B5592B490FB Tamanho do Arquivo: 43.52 KB, 43520 bytes

MD5: 4e2d25aa502ee615e964aae0b9414d8e SHA1: e20c5c76eb738eab2c5d89c0bd1c597abb3ee961 SHA256: C0DD63A6A61C2A02365485B7E1065EDF477B0132AED0709D2BBC37BEA7B5D62E Tamanho do Arquivo: 571.39 KB, 571392 bytes

MD5: 24fad267137f2f094a4d62b367669b76 SHA1: 1b225ef76228362ef249638ef95e583fcad9457d SHA256: B5A720F4C814BE9B2C00D534913A850C3C14D07372E397B1FF849EF7BA55279E Tamanho do Arquivo: 58.88 KB, 58880 bytes

MD5: 974d622c5e3f25b491ea3dabbf6b7909 SHA1: bd6e5ffe363eab56ad959669b995ffa22544aca6 SHA256: 83DAC4C9836BD72D587849A8C1C5F99124094645618C98659AE061A41D6060F5 Tamanho do Arquivo: 956.93 KB, 956928 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have security information
• File is .NET application
• File is 32-bit executable
• File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
• File is either console or GUI application
• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
• File is not packed

Show More

• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

Windows PE Version Information

i

Windows PE Version Information

This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

Nome	Valor
Assembly Version	0.0.1.3 0.0.0.0
Comments	Paches AIM 6.0 to work with Phoenix
Company Name	MAXON Computer GmbH Wildman Productions
File Description	CINEMA 4D ® Phoenix6Patcher Setup
File Version	15, 0, 3, 7 0.0.1.3 0.0.0.0
Internal Name	CINEMA 4D ® crypted.exe Melter.A.exe Phoenix6Patcher.exe RDBM25.exe Setup.exe WerkZeugUebersicht.exe WrapperEnhancer1a.exe
Legal Copyright	Copyright © 1989-2013 Copyright © Wildman Productions 2020
Legal Trademarks	CINEMA 4D ®
Original Filename	CINEMA 4D.exe crypted.exe Melter.A.exe Phoenix6Patcher.exe RDBM25.exe Setup.exe WerkZeugUebersicht.exe WrapperEnhancer1a.exe
Product Name	CINEMA 4D ® Phoenix6Patcher
Product Version	15, 0, 3, 7 0.0.1.3 0.0.0.0

File Traits

• .NET
• 00 section
• 2+ executable sections
• Confuser
• Goliath
• HighEntropy
• Installer Version
• ntdll
• SmartAssembly
• x86

Show More

• Yano
• ZYXDN

Block Information

i

Block Information

During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

Total Blocks:	18
Potentially Malicious Blocks:	2
Whitelisted Blocks:	9
Unknown Blocks:	7

Visual Map

? 0 0 0 0 0 0 0 0 0 ? ? ? x x ? ? ?

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

i

Similar Families

This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.

• HEUR.MSIL.Generic_268209
• MSIL.Downloader.Agent.IUE
• MSIL.Downloader.Agent.LC
• MSIL.Injector.XC
• MSIL.Small.FG

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
c:\users\user\appdata\local\hulmoil\polmilh.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\db05a87beb16572c793142c9bc5e42e8cc37b063_0006886400	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\downloads\tempfile	Generic Write,Read Attributes

Registry Modifications

i

Registry Modifications

This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.

Key::Value	Dados	API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\system\controlset001\services\eventlog\application\gewatec::eventmessagefile	C:\Windows\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll	RegNtPreCreateKey

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
Syscall Use	ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcConnectPortEx ntdll.dll!NtAlpcCreateSectionView ntdll.dll!NtAlpcQueryInformation ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtApphelpCacheControl ntdll.dll!NtAssociateWaitCompletionPacket ntdll.dll!NtCancelTimer2 ntdll.dll!NtCancelWaitCompletionPacket ntdll.dll!NtClearEvent Show More ntdll.dll!NtClose ntdll.dll!NtCompareSigningLevels ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateIoCompletion ntdll.dll!NtCreateMutant ntdll.dll!NtCreatePrivateNamespace ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtCreateTimer2 ntdll.dll!NtCreateWaitCompletionPacket ntdll.dll!NtCreateWorkerFactory ntdll.dll!NtDelayExecution ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFlushProcessWriteBuffers ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtGetCachedSigningLevel ntdll.dll!NtGetContextThread ntdll.dll!NtGetWriteWatch ntdll.dll!NtMapViewOfSection ntdll.dll!NtNotifyChangeKey ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenSection ntdll.dll!NtOpenThreadToken ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationJobObject ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQueryPortInformationProcess ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtReadFile ntdll.dll!NtReadRequestData ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtResetWriteWatch ntdll.dll!NtResumeThread ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationFile ntdll.dll!NtSetInformationKey ntdll.dll!NtSetInformationObject ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationThread ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSetTimer2 ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtSuspendThread ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtUnsubscribeWnfStateChange ntdll.dll!NtWaitForAlertByThreadId ntdll.dll!NtWaitForMultipleObjects ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWaitLowEventPair ntdll.dll!NtWorkerFactoryWorkerReady ntdll.dll!NtWriteFile ntdll.dll!NtWriteVirtualMemory ntdll.dll!NtYieldExecution UNKNOWN win32u.dll!NtUserGetKeyboardLayout win32u.dll!NtUserGetThreadState
User Data Access	GetComputerNameEx GetUserDefaultLocaleName GetUserObjectInformation
Encryption Used	BCryptOpenAlgorithmProvider CryptAcquireContext
Process Manipulation Evasion	NtUnmapViewOfSection
Process Shell Execute	CreateProcess ShellExecuteEx
Anti Debug	CheckRemoteDebuggerPresent IsDebuggerPresent NtQuerySystemInformation OutputDebugString
Other Suspicious	AdjustTokenPrivileges

Shell Command Execution

i

Shell Command Execution

This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.

c:\users\user\downloads\tempfile (NULL)

(NULL) C:\Users\Nfifkagk\AppData\Local\hulmoil\polmilh.exe