PUP.Adaptive.A
Table of Contents
Analysis Report
General information
| Family Name: | PUP.Adaptive.A |
|---|---|
| Signature status: | Self Signed |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
b2b2cc00b8339d5a733abb9dd8121b57
SHA1:
ff7730289ce8a6e4e1d6b4336e0854fb9d445183
File Size:
1.39 MB, 1390272 bytes
|
|
MD5:
012cecae4460d3f8cc2f205f05ac2c86
SHA1:
08c57594fc8c9c298c6818554e99d361dad71b33
SHA256:
75D0B8413C63E871765C84CA0C23E35E530641E92EE07C3A215C49099427354B
File Size:
1.39 MB, 1390704 bytes
|
|
MD5:
0484b243f4385272159752a4521466e9
SHA1:
df15346cbcd659fd2e665be85a841746238a00d8
SHA256:
B24D55B7909DF20C055ED467A2803C0483A89D476FBAF25F2B48870404E2885D
File Size:
1.39 MB, 1390712 bytes
|
|
MD5:
f2d72b59f1796646a25614788d9e9478
SHA1:
1334187ad17e4d6e979eac6c31424f5251206f71
SHA256:
B388F9E37CA7F3F38CCF0F977EB2B95300FA6CB2CB99909F827AF473079AE88D
File Size:
1.39 MB, 1390144 bytes
|
|
MD5:
ed1dbcb54339022e11add63ff6a7b2a1
SHA1:
141dd16409bdc35eed3d8af7c0e5e44d5939d636
SHA256:
5F35517D1E81379C3C258C106F3D035934FE06B4C5D784D809B8228B1893376A
File Size:
1.39 MB, 1390128 bytes
|
Show More
|
MD5:
d34a3a530d4bd4d1494b925ba4422702
SHA1:
d6f5a3911794b41d80daeb49774459e10cc62ce8
SHA256:
A952DDEE9AB522148B5D8800ABAB71EC8CC02094C0B4C6B49F8DF401B9B43CE7
File Size:
1.42 MB, 1417000 bytes
|
|
MD5:
b2f7639377eb5ff89ba97c8c3d4e4123
SHA1:
040d683cffb4bda312404a6ccdf615747dc5a6c4
SHA256:
3829BC212ECD483DBC8E9CFB0A0E432E3ACD021B770ACBB3B2963ED0D20B1C43
File Size:
1.42 MB, 1421440 bytes
|
|
MD5:
c0b860b28108864e055a12ea0d35a24c
SHA1:
82e8a361f5d04069dba17fb1a80868a9bbf601ea
SHA256:
A597D667599646F74F396951EE8A062E5968979C55F8D01D2463B58BDA9A5268
File Size:
1.39 MB, 1393264 bytes
|
|
MD5:
884d36ebbe0dea73131607730b1776b7
SHA1:
6a1d1627b62613c99d4a4e82b7a7d0224026cfc5
SHA256:
652482CA11DFD1675BAAD811D9E44B07F80C91BD087178967D0ED95689977ADC
File Size:
1.42 MB, 1424656 bytes
|
|
MD5:
9fc73334cb496bdc9308626df656a005
SHA1:
a51885a7e36a427dd4ddab6dd57e80b0d0c133d0
SHA256:
1D8F8EA11852D17714B8339CF6BB7F0092DFFE41796C0EB82F96726D0BE8CA31
File Size:
1.39 MB, 1390736 bytes
|
|
MD5:
398175d6684ac86ebd73d258a1a93614
SHA1:
c238f8ea81837cca16d956cd13fa1503c3f1079a
SHA256:
E89703BE21A783FCC382DD74F61F56693E8274735DCEFCAD911E6A1E324EB6B6
File Size:
1.39 MB, 1391864 bytes
|
|
MD5:
e597db8a4c4e65936a2ef21233dd0ac7
SHA1:
01ec7442e39af81a29643b6048085b81940c878c
SHA256:
B43CC87496C65792D0E64BBDDB5E51960609C63AA052043F45A409E174E3AB3E
File Size:
1.39 MB, 1391872 bytes
|
|
MD5:
b2b3af780255129682dd56ba0db77330
SHA1:
360225f8ebac2902ab56e0acc960832ab3dba62f
SHA256:
8A47D446C11C08A2D38D5CDA5FB8BC55C5AB7E0A6965C820DB95D4A3E1097DF9
File Size:
1.42 MB, 1417016 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| File Description | UR Browser Setup |
| File Version |
|
| Internal Name | UR Browser Setup |
| Product Name | UR Browser Setup |
| Product Version |
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| AdaptiveBee | COMODO RSA Certification Authority | Root Not Trusted |
| AdaptiveBee SASU | Symantec Class 3 SHA256 Code Signing CA | Self Signed |
File Traits
- dll
- HighEntropy
- imgui
- x86
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\users\user\appdata\local\temp\nsaa267.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsaa267.tmp\uractions.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsaa3ec.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsaa3fd.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsaa3fd.tmp\uractions.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsb5988.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsb5988.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsb5988.tmp\system.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsb5988.tmp\uractions.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsb5988.tmp\uractions.dll | Synchronize,Write Attributes |
Show More
| c:\users\user\appdata\local\temp\nsca881.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsca881.tmp\uractions.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nseb898.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsf391e.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsf391e.tmp\uractions.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsi5305.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsi5305.tmp\uractions.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsi5d81.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsi5d81.tmp\uractions.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsia8a0.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsj5eff.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nska256.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsm112f.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsm112f.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsm112f.tmp\system.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsm112f.tmp\uractions.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsm112f.tmp\uractions.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsp762c.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsp762c.tmp\uractions.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsq390e.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nss52f4.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nss5d70.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nstb8a8.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nstb8a8.tmp\uractions.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsv5967.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsw111e.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsxa871.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsxa8b0.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsxa8b0.tmp\uractions.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsxb31.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsxb32.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsxb32.tmp\uractions.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsy5f0f.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsy5f0f.tmp\uractions.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsz761b.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKCU\software\abee::tempappinstanceuid | 0aad2e00-365d-451d-a045-ceecb6ee7f05 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Rlcxmhtr\AppData\Local\Temp\nsm112F.tmp\ | RegNtPreCreateKey |
| HKCU\software\abee::tempappinstanceuid | 34ecb8eb-3557-4a03-ac39-0520b3d37307 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Ytbsvfpu\AppData\Local\Temp\nsb5988.tmp\ | RegNtPreCreateKey |
| HKCU\software\abee::tempappinstanceuid | 694160f9-84a8-4a74-9c2c-b6662d853427 | RegNtPreCreateKey |
| HKCU\software\abee::tempappinstanceuid | b8c3ecc5-4c5f-411b-8fcf-17ef636a6725 | RegNtPreCreateKey |
| HKCU\software\abee::tempappinstanceuid | c3c3e188-6fe3-4575-a0d1-6be6c56012b9 | RegNtPreCreateKey |
| HKCU\software\abee::tempappinstanceuid | 3dac3c3b-79cd-4025-942a-fbf2a0989044 | RegNtPreCreateKey |
| HKCU\software\abee::tempappinstanceuid | ac30bb71-3ddd-44ca-a9ee-c1edb6329db6 | RegNtPreCreateKey |
| HKCU\software\abee::tempappinstanceuid | 9cd28543-ad99-428f-bac1-b30a7c733fee | RegNtPreCreateKey |
Show More
| HKCU\software\abee::tempappinstanceuid | 462fb3e3-60c2-4dde-adde-3e2d6b60670f | RegNtPreCreateKey |
| HKCU\software\abee::tempappinstanceuid | 363b0d16-4224-4ccd-9dab-7dd8a4db1c20 | RegNtPreCreateKey |
| HKCU\software\abee::tempappinstanceuid | d1b5f1f2-c6e8-4051-81fd-d2a885c81dbc | RegNtPreCreateKey |
| HKCU\software\abee::tempappinstanceuid | bf6a453e-7447-43a5-9cc0-a8ef6274c9de | RegNtPreCreateKey |
| HKCU\software\abee::tempappinstanceuid | ffc165bc-83f4-43ff-9e76-9183f6e7e00b | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Encryption Used |
|
| Network Winhttp |
|
