PUP.Loader.G
Table of Contents
Analysis Report
General information
| Family Name: | PUP.Loader.G |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
13024d757ffd93dd760e5fa447115bb3
SHA1:
803754e237ae819edb5aadd859dc29afab3c11eb
File Size:
308.74 KB, 308736 bytes
|
|
MD5:
31c18b91155fd19d1aee03dd6f41406b
SHA1:
f620e02d8791165ba929f03034d38659b7d80050
File Size:
271.87 KB, 271872 bytes
|
|
MD5:
57af458b0ee9a120f6a8306e876c733e
SHA1:
6c262af66e3d74a8cfb789bcc6a55bb7e7c311d5
SHA256:
FD30BFF165663A958CD174A6CE00D8B541DD84B0298375AB618A4A9BD6FB19C5
File Size:
271.87 KB, 271872 bytes
|
|
MD5:
0787c2b72a0d30e70e9fb89d8a5327e9
SHA1:
14cc9ccc859a28ae6a14cd6003c5f8bb9509489e
SHA256:
D446B9E02FEE270810AEA74D81DB4169A540FC333736862A0097958B1F6F1098
File Size:
271.87 KB, 271872 bytes
|
|
MD5:
3fe56902930968bb5ae78bad34548412
SHA1:
9588e299d03ab17400289ced62e327b3d7b052b4
SHA256:
990ADBD7FAF077AD435F660ED8550446DFEDFC1B8764A23E3DF715215CED5941
File Size:
121.34 KB, 121344 bytes
|
Show More
|
MD5:
acf0c3d27d2fb5670f787658e6351562
SHA1:
5dfbdbf0157e4e1a6df338543154aab078159b75
SHA256:
AC61E5B454FC9AF1752E28E75219D5CE9BA1203D515B7E6416C395072B0E9D85
File Size:
121.34 KB, 121344 bytes
|
|
MD5:
6d0088325a0b07e9aed725cd8a9f201b
SHA1:
64696d37a99c750d85c2a0361d06eeccce4d9d61
SHA256:
A81A8049872DBC59450FF8F141530B1694209C5E22981E1CBC75BE09D9790D7F
File Size:
204.80 KB, 204800 bytes
|
|
MD5:
6b05d6f88fbff285d74937bc29828f18
SHA1:
88a1451496fd3e4dac3f8c84d743ec76d51c6b11
SHA256:
F213E0B77BE235A24DA39E18E6A06E1A41506A52FAD776AFD4291068C50EF75B
File Size:
271.87 KB, 271872 bytes
|
|
MD5:
539adb9b8f4b0af4307adaad65abebbf
SHA1:
ade8d389083db3c784fbb5c5d647c745445ba223
SHA256:
750093301304F0C1CD3AC2BC9697904635AFD02CB821D140600BBB5A7F4FF1D9
File Size:
651.26 KB, 651264 bytes
|
|
MD5:
73ef08c246d63229c136113605193f49
SHA1:
da4d7496e0b6e978de67e48463efe17493636c59
SHA256:
59614019DC19238C6FD87D97966D0185CE18A839064656CAA8AFFD15F8AB5A7C
File Size:
204.80 KB, 204800 bytes
|
|
MD5:
c59a9212513ba2a1383922c4bd9a3a74
SHA1:
4bc36a52c1832f926a90cab879b3e4078d7cc1c7
SHA256:
F5CBBF2B962480102C4A1032600A87A816B94D7695C4E752AE63CF23AAFFABD1
File Size:
121.34 KB, 121344 bytes
|
|
MD5:
bc19a5f5b6de85c37097576daab0cc69
SHA1:
54e9fffe9430c913dd8381e30476636cac090602
SHA256:
D586BD9800485614B38D856324140E3AE5843AA9601F99D23F374C73ADBE22FE
File Size:
204.80 KB, 204800 bytes
|
|
MD5:
a8e5c720df32c981fa6752181e519bca
SHA1:
81850f15eec46df3883a1a29af19e5fa86d37fdb
SHA256:
6A0671AE6FD799364FD6C3263EB224C286B9828F5B5A04DDF8078EDDB6924100
File Size:
271.87 KB, 271872 bytes
|
|
MD5:
d8d3044da58c02fc567071420e47bcb6
SHA1:
2950227fe095487393dc53742b83d39087dfd00b
SHA256:
669003D419F09759418B662C90E001FDB54D808FCA9288497E94F865F87E7E06
File Size:
204.80 KB, 204800 bytes
|
|
MD5:
9d374ed7117a388782289c5fe647dd20
SHA1:
6f64a8686742416980bb3bd181988938ec8056d0
SHA256:
A23A884A95EF0E6DAD365DB2F11CBF2E1F4C88D495E9E708376B7985C71BEA5B
File Size:
630.78 KB, 630784 bytes
|
|
MD5:
59c433cf02c35cd491d38849a600c93e
SHA1:
973302f296c9cd1d7184a41fce28f4b53ea967c3
SHA256:
5B880701DB61CBAC5D5652D2909CAC2BF61C0DBDA4758356AD1BD0534820919B
File Size:
241.66 KB, 241664 bytes
|
|
MD5:
c41e9e51e1793e39db6a75dfc606333f
SHA1:
7083e24ea82286c0c6e003ea9de967c856137511
SHA256:
27E95BA56FF699EBD3913388A0D3219846BB5502112C9E394FCF6B77612D7CF8
File Size:
308.74 KB, 308736 bytes
|
|
MD5:
ec2789a1dbf54cd04c83a50179e10936
SHA1:
905ca9c5b1a20ba45b40bf554801f889aa68c69e
SHA256:
30925D8961B5C8250BDECA8D6C883B8D04DF4C3B79E2DB3F375C57F3D0C0FD0E
File Size:
155.65 KB, 155648 bytes
|
|
MD5:
afe9a371e62741aa6e4f409fac9ac509
SHA1:
2e037c0839ecbc0a5979b00b22aa010fd8be39d3
SHA256:
C76177DD9DE1CF237F2C5BB679DC25DBF03232A0178B550FE30C467969DA6A66
File Size:
271.87 KB, 271872 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have relocations information
- File doesn't have security information
- File has been packed
- File has exports table
- File has TLS information
- File is 64-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
File Traits
- No Version Info
- ntdll
- packed
- WriteProcessMemory
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 355 |
|---|---|
| Potentially Malicious Blocks: | 55 |
| Whitelisted Blocks: | 300 |
| Unknown Blocks: | 0 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
x
0
0
x
0
x
0
x
0
x
0
x
0
x
0
x
0
0
x
0
x
1
0
0
x
x
0
x
x
0
x
0
0
x
x
0
x
0
0
x
x
x
0
x
x
x
0
x
x
x
0
x
x
x
0
x
0
x
x
x
0
x
x
x
x
0
x
0
x
0
x
x
0
x
0
x
0
x
x
0
x
0
x
0
x
x
x
x
0
x
1
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Loader.G
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
3 additional items are not displayed above. |
| User Data Access |
|
| Anti Debug |
|
