PUP.Gamehack.ADH
Table of Contents
Analysis Report
General information
| Family Name: | PUP.Gamehack.ADH |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
a3f1de190ad0f17b23f03360efa041ac
SHA1:
09d7fb416f6aa925416d7a198d2241ac38c9a821
SHA256:
F503112DDB0EA811C75C1212A73DD2AA65F8D62CCDAB8A06214286692373D987
File Size:
64.00 KB, 64000 bytes
|
|
MD5:
9b97be2d4bae6eccb4b5ca677d17b67c
SHA1:
b22188b96fd65c97628fc6fd6c1709c48bf954f4
SHA256:
67F2DECBDAFDD64D4160F4176731E3D852D685B25019E772E24D2782DA95DAF2
File Size:
98.82 KB, 98816 bytes
|
|
MD5:
93cf4afa896ba16390852ba053f307b3
SHA1:
7c4f526b178a7e1edd643aacce3b1d51d58d99fa
SHA256:
E7670C9D59D2F03E7DC4AFBC915E4E7F6C280C155C69E2C5E8925D64F1A6190E
File Size:
140.29 KB, 140288 bytes
|
|
MD5:
7fdfd9b3709368f8b33cd292ea5cdbe0
SHA1:
7713e7974f3a24debfc44b60125fa2762dc8a0c4
SHA256:
C3095295CB4F74BCA56EDE91535D41339A9F1363C3EBA03D5C42AE772A43ECE7
File Size:
138.75 KB, 138752 bytes
|
|
MD5:
a8badb49f9305bbb96d4ea8253602a2e
SHA1:
e790cb22e3907855d901e40285b56614f778d5b6
SHA256:
13DEA7234B4CE8BA1BFA627C4B14B7102E2CB98E3748AE443564F9C57675D259
File Size:
141.31 KB, 141312 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have exports table
- File doesn't have security information
- File is .NET application
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Assembly Version | 1.0.0.0 |
| File Description |
|
| File Version | 1.0.0.0 |
| Internal Name |
|
| Legal Copyright |
|
| Original Filename |
|
| Product Name |
|
| Product Version | 1.0.0.0 |
File Traits
- .NET
- HighEntropy
- RijndaelManaged
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 91 |
|---|---|
| Potentially Malicious Blocks: | 2 |
| Whitelisted Blocks: | 46 |
| Unknown Blocks: | 43 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
?
0
?
?
?
?
0
0
?
x
0
?
?
?
0
?
0
0
?
?
0
?
0
0
0
?
0
0
0
?
0
0
0
0
?
?
x
0
?
0
0
0
0
0
?
0
?
?
?
0
0
0
0
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKCU\brmm:: | URL:BRMM Protocol | RegNtPreCreateKey |
| HKCU\brmm::url protocol | RegNtPreCreateKey | |
| HKCU\brmm\defaulticon:: | "c:\users\user\downloads\7c4f526b178a7e1edd643aacce3b1d51d58d99fa_0000140288",1 | RegNtPreCreateKey |
| HKCU\brmm\shell\open\command:: | "c:\users\user\downloads\7c4f526b178a7e1edd643aacce3b1d51d58d99fa_0000140288" "%1" | RegNtPreCreateKey |
| HKCU\brmm\defaulticon:: | "c:\users\user\downloads\7713e7974f3a24debfc44b60125fa2762dc8a0c4_0000138752",1 | RegNtPreCreateKey |
| HKCU\brmm\shell\open\command:: | "c:\users\user\downloads\7713e7974f3a24debfc44b60125fa2762dc8a0c4_0000138752" "%1" | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| User Data Access |
|
| Anti Debug |
|
| Encryption Used |
|
| Syscall Use |
Show More
|
