PUP.Keygen.Agent.A
Table of Contents
Analysis Report
General information
| Family Name: | PUP.Keygen.Agent.A |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
386278c667119a085a054443bc0ac92e
SHA1:
a1a4010b4dc063c740b754661d645b7f8cc4ced3
SHA256:
B8578A9CDE82AC6B29F2177D4C417CDB30F9F4A014B0D3BB628522A2A40D3385
File Size:
739.33 KB, 739328 bytes
|
|
MD5:
2c1433c2ffe11dee51e7cc5ffe669e90
SHA1:
1eb0cd3a465489d3761fabcb82a3e65b59e05ca0
SHA256:
E58DA5236CAD32B4308D06D1A2362DE1B4E015B88004DB5D6893E9C8AA5A00C5
File Size:
7.57 MB, 7574580 bytes
|
|
MD5:
ec10781a9875cb35d4b132d3b8b31bb5
SHA1:
4746701bf8774d62a1cccebb9767b312dc17c318
SHA256:
3181D71CB62E25D8FCC20E5DA7641E170F9B2B4C2D20EF96E76C3FD74ABD9664
File Size:
236.03 KB, 236032 bytes
|
|
MD5:
c77d03605afc378f96b9593e8b8b4bdd
SHA1:
4f78864a6f06bd7f1425372d1d18b2c19be8d57d
SHA256:
669C44BD8EEA14118F51152137F21A5C20A5FE6B00689CE12F44106BFCDC7438
File Size:
316.42 KB, 316416 bytes
|
|
MD5:
0c5796e00b978df4316eebe99a2b166d
SHA1:
371a847b87cbdb3d89ee28652b47967ecc75faa2
SHA256:
BED0433362A47E2FB300A8EE3E233FB8C3B6A5C1C73ADC6CCD3796934A249955
File Size:
269.31 KB, 269312 bytes
|
Show More
|
MD5:
77645e7aa7293fe308d1e72d183e7a2e
SHA1:
e9a15f30112ecbd9f12dcd7503c1cdafa24390a3
SHA256:
05D378EF634358F70B58CB0F3871EC1868B4BC8923F4D0C37F7450498D5B9DAB
File Size:
992.26 KB, 992256 bytes
|
|
MD5:
382ee9572b6dd427de9ed92a8958ed66
SHA1:
669494296b1c046a6cdcb0c64ad801464a07485b
SHA256:
33C0FEACC8B9B514EA0D6356D23E492353C85DE04C0D4C0D54F57B130A946CF1
File Size:
7.30 MB, 7304737 bytes
|
|
MD5:
e919e8f66d96c43efdca0981fe8932f8
SHA1:
e69dd6d3b1c59f9655d309baad4a8541bfa35bf3
SHA256:
EECDE9FA13A4AE64F1925CE1944A7178E6B29DF99133814B8E41BB97F5749D4B
File Size:
152.58 KB, 152576 bytes
|
|
MD5:
9813a5c6ee69205efed12e30478bd8ff
SHA1:
ad5a0c5755acb2074d4a2ba0522f9de143a7575d
SHA256:
4FF3C0F5724E21ED7A7F1C0564CA2C9B8B229A8D41DF651F8B1F6A1754B36AB1
File Size:
3.71 MB, 3706946 bytes
|
|
MD5:
cc7819f7919e547234c0f9771d5cd1a2
SHA1:
20f9430a358470ee7879094ad682bd7aecf7ac35
SHA256:
21F3E63ACD3C4BB84591C8A342AA5D60908B9F96E72587EB3110E577B33238F7
File Size:
706.56 KB, 706560 bytes
|
|
MD5:
95e317fd4c153bbe3cc7e9e3894d8b43
SHA1:
bf5563053bf32b6fcc02993f614f361ef1597e6b
SHA256:
35BE05C6AA7185F9C392D89C4AFB757A45CFD17A4C96C940B9AA9264B75127FD
File Size:
992.26 KB, 992256 bytes
|
|
MD5:
83c4a6b794a70a3ec4026a69899a12cc
SHA1:
daed3d92903f04e90093fdb066192c741cc86171
SHA256:
E4A4A050C89FE4F4411174523563EA1BB2D0291E4E4C4A79E5D4584C2B7D7E9B
File Size:
1.05 MB, 1050112 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has been packed
- File has TLS information
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Alcohol Activator | v1.3 |
| Comments |
|
| Company Name |
|
| File Description |
|
| File Version |
|
| Legal Copyright | Copyright © 1999-2007 Sokaris Paweł Łuczak |
| Product Name | The.Walking.Dead.A.New.Frontier.Episode.4.REPACK-KaOs |
| Product Version |
|
File Traits
- 00 section
- 2+ executable sections
- dll
- HighEntropy
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 871 |
|---|---|
| Potentially Malicious Blocks: | 185 |
| Whitelisted Blocks: | 685 |
| Unknown Blocks: | 1 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
x
x
x
x
0
x
x
x
x
x
x
0
0
0
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
0
x
x
x
0
x
x
x
x
0
x
x
0
0
0
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
0
0
x
x
x
x
x
x
x
1
x
x
x
x
x
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
x
0
0
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
0
x
x
x
x
x
0
0
x
x
0
0
0
0
0
0
x
0
x
0
x
0
0
x
0
0
0
0
0
0
0
0
x
x
0
x
x
x
x
x
x
x
?
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- BadJoke.XA
- Banker.GF
- Injector.KPP
- Lamer.B
- Malat.A
Show More
- QHost.XG
- Trojan.Agent.Gen.AKH
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\users\user\appdata\local\temp\11336545\bassmod.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\11336545\dos_font.fon | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\11336545\exit_normal.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\11336545\exitskin.ini | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\11336545\flc_doit.xm | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\11336545\generell.ini | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\11336545\install_normal.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\11336545\instskin.ini | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\11336545\linezer0_fixed.x | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\11336545\lz0.nfo | Generic Write,Read Attributes |
Show More
| c:\users\user\appdata\local\temp\11336545\main_mask.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\11336545\main_normal.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\11336545\main_over.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\11336545\mainskin.ini | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\11336545\nfo_mask.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\11336545\nfo_normal.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\11336545\nfo_over.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\11336545\nfoskin.ini | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\11336545\unrar.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\11336545\unzdll.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\fhbgrkcittbyvgqsomeu.dll | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\fttgxskqcc.dll | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\gqlrjgnnpspbtazwvskc.dll | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\is-p0854.tmp\ad5a0c5755acb2074d4a2ba0522f9de143a7575d_0003706946.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-v4t6o.tmp | Write Attributes |
| c:\users\user\appdata\local\temp\is-v4t6o.tmp\01.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-v4t6o.tmp\02.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-v4t6o.tmp\03.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-v4t6o.tmp\04.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-v4t6o.tmp\05.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-v4t6o.tmp\06.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-v4t6o.tmp\07.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-v4t6o.tmp\08.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-v4t6o.tmp\_isetup\_setup64.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\is-v4t6o.tmp\_isetup\_shfoldr.dll | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\is-v4t6o.tmp\bass.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-v4t6o.tmp\callbackctrl.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-v4t6o.tmp\isdone.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\juatafjnczwgrmnnuoqs.dll | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\mlxhgguhopqqxoasuswc.dll | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\ockmtehlhltuelnmqihx.dll | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\prxruveaddxrqkpgupao.dll | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\rrzfviqwpj.dll | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\sae6357.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\test.dat | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\uvtsmadomdlskyyecpip.dll | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\vbjxchmqorcxidyezyuc.dll | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\xndiwwyohw.dll | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\ywbpbxkcwd.dll | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\~fs560.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\~fs561.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\~fs5610.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\~fs5611.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\~fs5612.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\~fs5613.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\~fs5614.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\~fs5615.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\~fs5616.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\~fs5617.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\~fs5618.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\~fs5619.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\~fs562.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\~fs5620.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\~fs563.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\~fs564.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\~fs565.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\~fs566.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\~fs567.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\~fs568.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\~fs569.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\csrv.exe | Generic Write,Read Attributes |
| c:\users\user\downloads\temp\shsandbox-win32.dll-5.22.1.9999-x86.dmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\directdraw\mostrecentapplication::name | 20f9430a358470ee7879094ad682bd7aecf7ac35_0000706560 | RegNtPreCreateKey |
| HKLM\software\wow6432node\microsoft\directdraw\mostrecentapplication::id | 帙⩂ | RegNtPreCreateKey |
| HKLM\software\wow6432node\microsoft\direct3d\mostrecentapplication::name | 20f9430a358470ee7879094ad682bd7aecf7ac35_0000706560 | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Process Manipulation Evasion |
|
| Anti Debug |
|
| User Data Access |
|
| Process Shell Execute |
|
| Keyboard Access |
|
| Syscall Use |
Show More
|
| Process Terminate |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
"C:\Users\Tkswclai\AppData\Local\Temp\is-P0854.tmp\ad5a0c5755acb2074d4a2ba0522f9de143a7575d_0003706946.tmp" /SL5="$80244,3257056,55296,c:\users\user\downloads\ad5a0c5755acb2074d4a2ba0522f9de143a7575d_0003706946"
|
"C:\WINDOWS\system32\attrib.exe" +s +h C:\Users\Tkswclai\AppData\Local\Temp\is-V4T6O.tmp
|
cSrv.exe
|