PUP.eCode
Table of Contents
Analysis Report
General information
| Family Name: | PUP.eCode |
|---|---|
| Signature status: | Hash Mismatch |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
586e8cbe7a6fe24b2fbb6acc66751733
SHA1:
3a75ea04ce950f04bc3e125e230b38467a822be1
File Size:
2.50 MB, 2504848 bytes
|
|
MD5:
1d97c91033bd8ccbcff49f2c28330f33
SHA1:
ba3dc9e6ddea49eb43074fee5c1677e1413fa0fe
SHA256:
CE0D38FC7AA4D10400C3889FD414F3876CF46068BCC1C7922F765DDDC043187A
File Size:
2.45 MB, 2446064 bytes
|
|
MD5:
0aea663df46ae7acd5c8366d65e98e08
SHA1:
df4cc4b2be80236aec11dfeba9048c2362c313d2
SHA256:
57A862F335384E5B0E5FA250678113547280059695ED2ABC04D98F7D49A5A4B3
File Size:
1.55 MB, 1552899 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has TLS information
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
Show More
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name |
|
| File Description |
|
| File Version |
|
| Internal Name | Real Hide IP |
| Product Name |
|
| Product Version |
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| eCode Sky Network Technology Co., Ltd. | UTN-USERFirst-Object | Hash Mismatch |
| eCode Sky Network Technology Co., Ltd. | WoSign Code Signing Authority | Hash Mismatch |
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\namedpipe\gmdasllogger | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsie3eb.tmp\installoptions.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsie3eb.tmp\iospecial.ini | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\nsie3eb.tmp\iospecial.ini | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsie3eb.tmp\modern-header.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsie3eb.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsse38c.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Process Manipulation Evasion |
|
| Anti Debug |
|
| User Data Access |
|
