Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.Bar.H

PUP.Bar.H

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.Bar.H
Signature status: Self Signed

Known Samples

MD5: 667c101c0425aa3256d4e4d1d5dcd831
SHA1: 7d4c2ff3e0b8357ffb089dfd09363edd2974fde8
SHA256: 68FF903DD7186E18F460664D156CBDED01B9ECEBB9AA34DDFB2237C1850A19F2
File Size: 686.93 KB, 686928 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name Babylon Software Ltd.
File Description Babylon Setup SE
File Version 12.0.0.13
Internal Name Setup Stub
Legal Copyright Copyright © Babylon Software Ltd. 1997-2023
Original Filename SetupStub.exe
Product Name Babylon Setup
Product Version 12.0.0.13

Digital Signatures

Signer Root Status
Babylon Software LTD DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 Self Signed

File Traits

  • big overlay
  • HighEntropy
  • Installer Version
  • x86

Block Information

Total Blocks: 456
Potentially Malicious Blocks: 42
Whitelisted Blocks: 414
Unknown Blocks: 0

Visual Map

x x x x x x x x x x x x x x 0 x 0 0 0 0 x x x x x x 0 x x x x x x x x x x x x x 0 x 0 0 0 x x 0 0 0 0 0 0 0 x 0 0 0 x x 0 x x 1 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 1 0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • KillMBR.XE

Files Modified

File Attributes
c:\users\user\appdata\local\temp\sudump.dmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\{47863303-bab0-7891-be34-8a05c3d6297d}\abortpage.aof Synchronize,Write Data
c:\users\user\appdata\local\temp\{47863303-bab0-7891-be34-8a05c3d6297d}\abortpage.aoi Generic Write,Read Attributes
c:\users\user\appdata\local\temp\{47863303-bab0-7891-be34-8a05c3d6297d}\clientsetup.aof Synchronize,Write Data
c:\users\user\appdata\local\temp\{47863303-bab0-7891-be34-8a05c3d6297d}\clientsetup.aoi Generic Write,Read Attributes
c:\users\user\appdata\local\temp\{47863303-bab0-7891-be34-8a05c3d6297d}\clientsetupstart.aof Synchronize,Write Data
c:\users\user\appdata\local\temp\{47863303-bab0-7891-be34-8a05c3d6297d}\clientsetupstart.aoi Generic Write,Read Attributes
c:\users\user\appdata\local\temp\{47863303-bab0-7891-be34-8a05c3d6297d}\clientsetupstart.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\{47863303-bab0-7891-be34-8a05c3d6297d}\htmlscreens\loading.html Generic Write,Read Attributes
c:\users\user\appdata\local\temp\{47863303-bab0-7891-be34-8a05c3d6297d}\htmlscreens\naverror.html Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\{47863303-bab0-7891-be34-8a05c3d6297d}\htmlscreens\pbar.gif Generic Write,Read Attributes
c:\users\user\appdata\local\temp\{47863303-bab0-7891-be34-8a05c3d6297d}\iecookielow.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\{47863303-bab0-7891-be34-8a05c3d6297d}\setup.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\{47863303-bab0-7891-be34-8a05c3d6297d}\setup.ico Generic Write,Read Attributes
c:\users\user\appdata\local\temp\{47863303-bab0-7891-be34-8a05c3d6297d}\setupstrings.dat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\{47863303-bab0-7891-be34-8a05c3d6297d}\sqlite3.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\{47863303-bab0-7891-be34-8a05c3d6297d}\stp_bbl.dat Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey

Windows API Usage

Category API
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetUserObjectInformation
Network Winhttp
  • WinHttpOpen
Network Wininet
  • HttpOpenRequest
  • HttpQueryInfo
  • HttpSendRequest
  • InternetConnect
  • InternetOpen
  • InternetOpenUrl
  • InternetSetOption
Network Winsock2
  • WSAStartup

Shell Command Execution

"C:\Users\Stmqoimq\AppData\Local\Temp\{47863303-BAB0-7891-BE34-8A05C3D6297D}\setup.exe"

Trending

Most Viewed

Loading...