Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.MSIL.Brute.HO

PUP.MSIL.Brute.HO

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.MSIL.Brute.HO
Signature status: No Signature

Known Samples

MD5: 26fcf8a8f4388fdc0aa376cb724530f4
SHA1: 8217a82f605a334b42fbfec6ee228b3590b23f06
SHA256: 95667FF919D832EF466E7B67BD2A4FE9B77F303B23D22B39BB1A094C77D36B9C
File Size: 7.08 MB, 7082157 bytes
MD5: 01dff2ebc38c1bff0f248874775eaed2
SHA1: 84db0f672596dd4655127e8c4e15a23740e8b6bb
SHA256: AF594C98DDEDE832CF442F423FE18C6C39403EF4EE614F6B62B2B16C96740D85
File Size: 7.07 MB, 7074550 bytes
MD5: 31b66421021645a2228df202033d514c
SHA1: 33781caeb78d1c8dc4a6d95c9f6d4738e894f725
SHA256: 8F9657B1375BC442C2A8EA71297412990210C339E6F7D96841D4E0263150087A
File Size: 7.09 MB, 7088384 bytes
MD5: 5aa8507ecac5f3548c0db5633033ef02
SHA1: 5dc80e317d83d12edef0e40421dbcd2b0ca5e0b4
SHA256: 5F0B35970346C518978822767C84B66F498877C99C02DFD50EEE9067365A23D6
File Size: 7.07 MB, 7069430 bytes
MD5: bd2de62142f95b917664df2b09d7f273
SHA1: 4f0296e4dee63d131d67a943544441dcee87eafa
SHA256: A1E8C237CBC3A0C4F76EF7C65847B16BED2CB107F4B7057D0273FA6DB7406860
File Size: 7.07 MB, 7070976 bytes
Show More
MD5: 6d3dd5ac503f6160d1f15ec36a965daa
SHA1: d259a8cb6404b4668345d5386cb3202ae3f59d96
SHA256: 9BF6C58A9955ABFEDA264E8CD971E88FA84C9761F07E2889C523B3F534C2D9BC
File Size: 7.09 MB, 7089408 bytes
MD5: bb899005264f49b9986c81e02ea8f41a
SHA1: 225a4bcd507299a1a521f66af455d55ee618f40c
SHA256: DF43822158E6F253371FFD4F70AADAF3679F70F44906D27D0578BB24979C8015
File Size: 7.07 MB, 7069430 bytes
MD5: 232fd6eef30154b11d00669ede8ba530
SHA1: 0f1f72045d3d8a5923d698c846d254d65c156f62
SHA256: 525A0D0E422E763125405C2816C6812432238448DB2A7ED93AF75DCA43C44813
File Size: 7.08 MB, 7080621 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

File Traits

  • big overlay
  • Installer Manifest
  • No Version Info
  • x86

Block Information

Total Blocks: 163
Potentially Malicious Blocks: 3
Whitelisted Blocks: 160
Unknown Blocks: 0

Visual Map

0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File Attributes
c:\users\user\appdata\local\temp\afolder\7za.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\afolder\batclen.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\afolder\idman.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\afolder\nsudolc.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\i6.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\i6.f Generic Write,Read Attributes
c:\users\user\appdata\local\temp\i6.t Generic Write,Read Attributes
c:\users\user\appdata\local\temp\wtmpd\t14198.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\wtmpd\t14198.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\wtmpd\t16769.bat Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\wtmpd\t16769.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\wtmpd\t17797.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\wtmpd\t17797.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\wtmpd\t22824.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\wtmpd\t22824.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\wtmpd\t25377.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\wtmpd\t25377.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\wtmpd\t25632.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\wtmpd\t25681.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\wtmpd\t26491.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\wtmpd\t26491.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\wtmpd\t56865.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\wtmpd\t56865.exe Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 祀纟鋵ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ⃲铝ǜ RegNtPreCreateKey
Show More
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ˥쮎ꦏǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ⢍꼕ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 攍➛뭐ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ꄰ䭰봒ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 虞蘿샤ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ῕װퟆǜ RegNtPreCreateKey

Windows API Usage

Category API
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • ShellExecuteEx
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
Show More
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation
Process Terminate
  • TerminateProcess

Shell Command Execution

open C:\Users\Juztupxm\AppData\Local\Temp\i6.bat
open C:\Users\Ztrjfseb\AppData\Local\Temp\i6.bat
open C:\Users\Invbcjhi\AppData\Local\Temp\i6.bat
open C:\Users\Obuahvoq\AppData\Local\Temp\i6.bat
open C:\Users\Atgpmrgr\AppData\Local\Temp\i6.bat
Show More
open C:\Users\Ivstnfjq\AppData\Local\Temp\i6.bat
open C:\Users\Vaqqscke\AppData\Local\Temp\i6.bat
open C:\Users\Sqcmiiii\AppData\Local\Temp\i6.bat

Trending

Most Viewed

Loading...