PUP.GreenBug.A
Table of Contents
Analysis Report
General information
| Family Name: | PUP.GreenBug.A |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
d26498c5ebdc09dff9f64b94356c7a98
SHA1:
46688ebe7b2b3e911e2862c7c334367e4f6b98e2
File Size:
78.06 KB, 78062 bytes
|
|
MD5:
3dbe3ba024bbbaec7e13c16a812c46b2
SHA1:
06b3059ec9934523576c1b436f12d3cb1be3ecd0
File Size:
70.17 KB, 70165 bytes
|
|
MD5:
74bb517c1c21f1dda25a21205b582a86
SHA1:
e42d0337db53b1864838e53fb0529cbe6c0b300a
SHA256:
DD3AAB7DF467D565BD3138ED736661ADCC16B95BEBE7528B54F898998A3CB219
File Size:
61.73 KB, 61734 bytes
|
|
MD5:
7039c3baff566a63d2ab072dbe43f4b8
SHA1:
4821da60d798b7f57609a3d113049c1cf5732af3
SHA256:
67B32A4908FD019BC0587F545A59E90E7D450CEA075C5F8EEE04E0BDA20F94E2
File Size:
127.14 KB, 127142 bytes
|
|
MD5:
62f5ca4a2c47378cb6e24934407cac25
SHA1:
7bcfec2b4a3acf3b64b4a9d56f1c30e815fce498
SHA256:
CA5D950F40722026B01A8A0499CCF0CAAD28319A6A862852E33133B43EB9B5AF
File Size:
61.77 KB, 61774 bytes
|
Show More
|
MD5:
f01ab737f005a921fd44f85d467ed8ab
SHA1:
93217a654088c2598c248395911af086e680b779
SHA256:
331BD4BD0625F1C8BCBA3AFEB27156DBD6E73B635E5F0AA2A5711097AF3BB7F6
File Size:
61.88 KB, 61881 bytes
|
|
MD5:
f860db3f2611dac36609670c8cdb6a21
SHA1:
02b204deac017bd45480c12da1537311f93a360b
SHA256:
A0ACA6FE1E6C424DF76D423FC4D505790ADF4D0DF81AFDE6725F19B93C0520CB
File Size:
70.15 KB, 70147 bytes
|
|
MD5:
77e4d930df257331a5939ca5d5ece20d
SHA1:
668ef96aa7d2369eb1073fc9c7d716b882d5e443
SHA256:
344C9449E8F8D5BFE8F621432B6024B092727BCD5240A5C71ADADB9F8ECADBF4
File Size:
90.29 KB, 90286 bytes
|
|
MD5:
49d2613d9b0b8b095252c79cb56ae5ea
SHA1:
a8ee18cab0a2f1872972c15b9e89cdf6c4e8e3cd
SHA256:
589226CFDD54882D234CC2D0A88BAF02571963BCDC48EAC8EEAAB27D86449783
File Size:
61.94 KB, 61942 bytes
|
|
MD5:
b6003c1cf1bcc87e452953718812c384
SHA1:
9522d73bb74a8e268ded2375854f89f5ed5a5fbe
SHA256:
D2A012BE8717229FED9706CDD34BC163C23E54DE412D5C8ABDF8BAAC781086FF
File Size:
139.47 KB, 139470 bytes
|
|
MD5:
e30ca2aff6ba88f7afb3854b0cf632e2
SHA1:
bed898e0910ff8cb7b41daabbc92ba6d3874f5b3
SHA256:
E8C3B432F24DFC343440C42244F297769B242FD9C29A173366F971ABDDCDFE84
File Size:
1.05 MB, 1049568 bytes
|
|
MD5:
3511329d59a418840bd9efa2b65f5e96
SHA1:
18bdeca7c104a415efbf407b364b5dd70515a896
SHA256:
F45053B72C6FCBDAD22A40CD68D62A6FC2BE9E86CA175B0FF6798A7128CA69B6
File Size:
2.02 MB, 2022952 bytes
|
|
MD5:
1380ba685f76409e3aeafe012d504d7d
SHA1:
8b935d5b57870ab8dd2f1135aef55f311b5771fd
SHA256:
F7CA9C1D4FB6C3D83C009D935288BB5B50AEB4E2A4CA9FF5867C94E2C2A95278
File Size:
69.79 KB, 69788 bytes
|
|
MD5:
0d203e5f7e36cc9c83e1a216485bf8f5
SHA1:
8f32a2b1218828cd3e3d5f03e6ed9517c4b11199
SHA256:
8E888CC281DBDDE758DC9D613C61E3F2B7630EF9DA316CC7F7A8E4A2E2CD0C19
File Size:
65.69 KB, 65693 bytes
|
|
MD5:
7359db8f1a2c1bca7607cfa8a59a779a
SHA1:
f25ec6fca8791c1bf841309c2898b67bc85e3a6a
SHA256:
232F18B70679C3C3741AF2B9934C1C73857BF8EBD98310F51CF326C070D6766F
File Size:
78.01 KB, 78006 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Comments | This installation was built with Inno Setup. |
| Company Name |
|
| File Description |
|
| File Version |
|
| Legal Copyright |
|
| Product Name |
|
| Product Version |
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| State Zero | State Zero | Self Signed |
File Traits
- big overlay
- Installer Manifest
- No Version Info
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 165 |
|---|---|
| Potentially Malicious Blocks: | 3 |
| Whitelisted Blocks: | 162 |
| Unknown Blocks: | 0 |
Visual Map
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c: | Read Attributes,Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\afolder\7za.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\afolder\batclen.bat | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\afolder\nsudolc.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\i6.bat | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\i6.f | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\i6.t | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-oj3r6.tmp\_isetup\_setup64.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\is-vbj5e.tmp\18bdeca7c104a415efbf407b364b5dd70515a896_0002022952.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is64.bat | Generic Write,Read Attributes |
Show More
| c:\users\user\appdata\local\temp\is64.fil | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is64.txt | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\wtmpd\t23284.bat | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\wtmpd\t23284.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ytmp\t15006ers\user\downloads\.bat | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ytmp\t15006ers\user\downloads\.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ytmp\t15214ers\user\downloads\.bat | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ytmp\t15214ers\user\downloads\.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ytmp\t20707ers\user\downloads\.bat | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ytmp\t20707ers\user\downloads\.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ytmp\t30209ers\user\downloads\.bat | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ytmp\t30209ers\user\downloads\.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ytmp\t8171sers\user\downloads\.bat | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ytmp\t8171sers\user\downloads\.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ytmp\t8607sers\user\downloads\.bat | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ytmp\t8607sers\user\downloads\.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ytmp\t9915sers\user\downloads\.bat | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ytmp\t9915sers\user\downloads\.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ztmp\t21954ers\user\downloads\.bat | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ztmp\t21954ers\user\downloads\.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ztmp\t5175.bat | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ztmp\t5175.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ztmp\t9775.bat | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ztmp\t9775.exe | Generic Write,Read Attributes |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | RegNtPreCreateKey |
Show More
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | ȁ 龡^ 紘Ç 獖} ⦘· 좟Ê | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 輂ⷺǜ | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | ݇达膷ǜ | RegNtPreCreateKey |
| HKCU\local settings\muicache\1b\52c64b7e::@c:\windows\system32\ndfapi.dll,-40001 | Windows Network Diagnostics | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 谔ꛬ숭ǜ | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Process Shell Execute |
|
| Syscall Use |
Show More
63 additional items are not displayed above. |
| Anti Debug |
|
| User Data Access |
|
| Process Terminate |
|
| Process Manipulation Evasion |
|
| Keyboard Access |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
open C:\Users\Orrmfweh\AppData\Local\Temp\ztmp\t5175.bat "c:\users\user\downloads\46688ebe7b2b3e911e2862c7c334367e4f6b98e2_0000078062.exe"
|
WriteConsole: 'IsAdmin' is not
|
WriteConsole: The system canno
|
open C:\Users\Fdiiqgls\AppData\Local\Temp\ztmp\t9775.bat "c:\users\user\downloads\06b3059ec9934523576c1b436f12d3cb1be3ecd0_0000070165.exe"
|
C:\WINDOWS\system32\fsutil.exe fsutil dirty query C:
|
Show More
\sega_rally_2\HELP\start.htm \sega_rally_2\HELP\start.htm
|
open C:\Users\Qcjrczul\AppData\Local\Temp\is64.bat
|
open C:\Users\Mdxpkfyq\AppData\Local\Temp\is64.bat
|
open C:\Users\Droruckk\AppData\Local\Temp\i6.bat
|
"C:\Users\Ctqyaxtr\AppData\Local\Temp\is-VBJ5E.tmp\18bdeca7c104a415efbf407b364b5dd70515a896_0002022952.tmp" /SL5="$40382,1164460,980992,c:\users\user\downloads\18bdeca7c104a415efbf407b364b5dd70515a896_0002022952"
|
open C:\Users\Fyoqnqvy\AppData\Local\Temp\is64.bat
|