PUP.DotSetupIo
Table of Contents
Analysis Report
General information
| Family Name: | PUP.DotSetupIo |
|---|---|
| Signature status: | Root Not Trusted |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
df6ab261699e3728ca62666a684531a7
SHA1:
5c2b9b9124dc4b8c8d561e18f87e3a37d2fbf0a0
SHA256:
DF845C2DFC62B727846A61806308A78F1C93C47E272E44D95BDF55806CD29F4D
File Size:
316.41 KB, 316408 bytes
|
|
MD5:
0a1d9adb2c415ad52f66a77f210e33f0
SHA1:
f8e8813fb218ed652f7e554584dadd30ef034ed9
SHA256:
A209BF4CED1EE999EBF1E55558E984FEF4C06F6DFCACEDAE4219DDBDAC351166
File Size:
300.06 KB, 300056 bytes
|
|
MD5:
86961c013b521f5795cc861626244156
SHA1:
6f01e7ebacbcf1630dc06523273b3da94dfb2b65
SHA256:
66D71566DFCA25549BA849C627EB0FEB8693C5CA0D095F9B3963A092EA559A68
File Size:
316.41 KB, 316408 bytes
|
|
MD5:
c35622ba936f78ac50db978118eef2d8
SHA1:
0246c4234093c5a675a587da1a357de11be25111
SHA256:
ED6950049C589EB0F4B04C3F1F5AD6C64688A7D134FBBA7D4DFEA4AF0D17F438
File Size:
316.41 KB, 316408 bytes
|
|
MD5:
1a52a2b0162e506c9bcbd26389f03a8b
SHA1:
53449fc3b38e1e63b1d1e8e19197b7f8fcec77f5
SHA256:
F7A3F3E71D47E9EA515E4FC03510267AE9596F761D74F395A57F51E9082CEC06
File Size:
228.54 KB, 228536 bytes
|
Show More
|
MD5:
28b274163b08ce454b4fe7c5f066002d
SHA1:
d62d711f014313b80812a2cb638dd10b469d38c5
SHA256:
8ED3888F8180D687C345F5984EA624B617B5F56739CFD176D38A8B8E750B6565
File Size:
316.41 KB, 316408 bytes
|
|
MD5:
a1ed533099f199731bbead71cf2d71fd
SHA1:
b401a53ed164d990713c14a8492e786f016dcb6d
SHA256:
1C364EADACA754254FAC676BC3F30DEA77E66E26CA1EE3F11D7C10010D894D33
File Size:
273.91 KB, 273912 bytes
|
|
MD5:
a46a5db98c756737d851f339aedc4015
SHA1:
baf643bc3ddcffc29945856ff531f29bae66e3ac
SHA256:
BBA01ABC344F5C9B7C8113D38CFCABADE919D0482BAEFA0EC384FB8D281C84C0
File Size:
273.91 KB, 273912 bytes
|
|
MD5:
a59d014ecd34923dad8c2173631b04a9
SHA1:
7583baf0d1bdad6f3c8b3d0a0f75a8ecf7a02810
SHA256:
EC3FAA404A969BAA547B56B14131A3602B2DA31E3A4BDE7832F1CF9ACEE35790
File Size:
300.06 KB, 300056 bytes
|
|
MD5:
7bf5aad1d5776c03d47df69e2c11bac3
SHA1:
d8caec4a69839dbd1f35399d2e0e848aa6636aad
SHA256:
8B49D3E48392601B1BEE4A088145F8CEEB182EE4FEE1B5A8BEB2217D746BFC50
File Size:
300.06 KB, 300056 bytes
|
|
MD5:
82613194f0bfc562c28ba537bc2f6591
SHA1:
b2876ab53c143494829c744ff4620433834a13e1
SHA256:
4BD0D3ADE9640951911D84FDBA5ADE07113B8C121E9470F6FF96C42BAE7C5577
File Size:
316.41 KB, 316408 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File has exports table
- File is .NET application
- File is 32-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Assembly Version |
|
| Comments |
|
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| Original Filename |
|
| Product Name |
|
| Product Version |
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Noviadigm | Sectigo Public Code Signing Root R46 | Root Not Trusted |
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 78 |
|---|---|
| Potentially Malicious Blocks: | 36 |
| Whitelisted Blocks: | 38 |
| Unknown Blocks: | 4 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
?
x
?
?
x
x
x
x
x
?
x
0
x
0
x
x
x
x
x
x
0
0
0
0
0
0
x
x
0
0
x
0
0
x
x
x
x
x
x
x
x
x
x
0
x
0
0
0
x
x
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- DotSetupIo.A
- DotSetupIo.B
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
| Process Manipulation Evasion |
|
| Process Shell Execute |
|
| Anti Debug |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\5c2b9b9124dc4b8c8d561e18f87e3a37d2fbf0a0_0000316408.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\f8e8813fb218ed652f7e554584dadd30ef034ed9_0000300056.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\6f01e7ebacbcf1630dc06523273b3da94dfb2b65_0000316408.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\0246c4234093c5a675a587da1a357de11be25111_0000316408.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\53449fc3b38e1e63b1d1e8e19197b7f8fcec77f5_0000228536.,LiQMAxHB
|
Show More
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\d62d711f014313b80812a2cb638dd10b469d38c5_0000316408.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\7583baf0d1bdad6f3c8b3d0a0f75a8ecf7a02810_0000300056.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\d8caec4a69839dbd1f35399d2e0e848aa6636aad_0000300056.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\b2876ab53c143494829c744ff4620433834a13e1_0000316408.,LiQMAxHB
|
