PUP.PCHDPlay
Table of Contents
Analysis Report
General information
| Family Name: | PUP.PCHDPlay |
|---|---|
| Signature status: | Self Signed |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
7b9b4242d79e08e29e215d90e1ea5e50
SHA1:
f7ca47f87fb47696f3e4bd1caf93b37d749886db
File Size:
713.13 KB, 713128 bytes
|
|
MD5:
88bcb552a86ee2a2802e5f7478501dbd
SHA1:
27c517bcc9d414fd18cb270b4f92cf7a6af3fd63
SHA256:
793FDAEB4F7D6BB47CD6DDF638D9287E463EF71CC90A984709F77A0E17E1F9FE
File Size:
713.13 KB, 713128 bytes
|
|
MD5:
016c255245441aa6adeb13d123094b00
SHA1:
cf18c57b369f7b63766f6c9639dd4c92311c760a
SHA256:
ACA5E774CC9310CC4C41E0D22274ACB44B4A6FEA52ACB4B822F558067FA9AB51
File Size:
713.26 KB, 713256 bytes
|
|
MD5:
7e7785d1685b8e78a74536b7b98e3af6
SHA1:
17167c33df8550669435b5c3c1deca4487a20c74
SHA256:
A279FCD24F5733A9B7EDDEE94ABDDBE555C582D10ADA363F3E49D7250FBC8FE1
File Size:
164.86 KB, 164864 bytes
|
|
MD5:
b29955134cd54d9651c24337f9468eaf
SHA1:
7c67b94da5ec44c5b458d5cd754bfbe2eea1423a
SHA256:
1F2F68594D4007D2DCF460F4DB07E667B690D2F0DC61F66841085C3B4EBFAC23
File Size:
211.39 KB, 211389 bytes
|
Show More
|
MD5:
00f380d5474af73aeee75c988bcd6d4a
SHA1:
a8d96d04b1c92a861fadd5080f05b7c72295c5e1
SHA256:
7DDC9C49C650B203310B5CC4BA82FDAE3C2DAA5F5C53AC8B311C5D58ECEE1E79
File Size:
713.13 KB, 713128 bytes
|
|
MD5:
1ad5c55678ba3076a8c168cd90852e79
SHA1:
2408c9a727ebf7a7a897244d4bc5be501a58992d
SHA256:
1F15D07F7EC7777EF8AC5F9A65E6418BCFF8DC560BD424DA339922C2C559DEED
File Size:
713.13 KB, 713128 bytes
|
|
MD5:
cbda739b9bd578a3d21d5d475a3f5337
SHA1:
a3f877a8f0fcdc8b7b2d023bf9ac4042c25e2a06
SHA256:
D247BDA946CB547DF9139BB86C12E1C3319BD58C857EFF3F82ADE43176CF7129
File Size:
712.74 KB, 712744 bytes
|
|
MD5:
de5f056d090467c861bb72096d9bc327
SHA1:
d67fe83fd8f0884e32461869c07e3d03f6d45aff
SHA256:
4215EC12AC4D3B12A0C4D798EF2D2D5E06F82B8908EB7F0A67658C93C5209F29
File Size:
713.13 KB, 713128 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has been packed
- File is .NET application
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Assembly Version |
|
| Company Name |
|
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| Original Filename |
|
| Product Name |
|
| Product Version |
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| DATEV eG 02 2 | DATEV eG 02 2 | Self Signed |
| DATEV eG 09 1 | DATEV eG 09 1 | Self Signed |
| DATEV eG 09 2 | DATEV eG 09 2 | Self Signed |
| DATEV eG 09 3 | DATEV eG 09 3 | Self Signed |
File Traits
- .NET
- HighEntropy
- packed
- WriteProcessMemory
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 226 |
|---|---|
| Potentially Malicious Blocks: | 1 |
| Whitelisted Blocks: | 110 |
| Unknown Blocks: | 115 |
Visual Map
0
?
?
?
0
0
?
0
?
?
?
?
0
?
?
?
0
0
?
?
0
?
0
0
?
0
0
0
?
0
?
?
0
?
0
0
?
?
0
0
0
0
0
0
?
?
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
?
x
?
?
0
?
?
0
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
0
0
?
?
?
?
?
0
?
?
?
0
?
?
0
0
?
?
?
?
0
?
?
0
0
0
?
0
0
0
0
?
0
0
0
?
?
0
?
?
?
?
?
?
?
?
?
?
?
0
?
?
0
0
0
?
?
?
?
0
?
?
?
?
?
?
0
?
?
?
?
?
0
0
0
0
?
?
0
0
?
?
?
0
0
0
?
0
0
?
0
?
?
?
0
?
?
?
?
?
?
?
0
?
0
?
0
0
?
0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| User Data Access |
|
| Anti Debug |
|
| Encryption Used |
|
| Syscall Use |
Show More
|
| Keyboard Access |
|
