PUP.UniDL
Table of Contents
Analysis Report
General information
| Family Name: | PUP.UniDL |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
585cd3eef3480c262fdbd2e632ade8db
SHA1:
8f9a20253c4c6a48668b3a6a909f258b372a0c36
File Size:
2.10 MB, 2103684 bytes
|
|
MD5:
c0d8659c1a9402c50e602c9e42e9d168
SHA1:
68a3f4ecfbfd4eb3500b3c6e05027e1fde76226a
SHA256:
9F1B2224948E26DD6AAE0603327EA788253EC02C207B4ED521280885D855C655
File Size:
2.21 MB, 2205599 bytes
|
|
MD5:
be58b71d2f29fbd282a5a7b4cc4373c3
SHA1:
1b4c22cb7cdba8b531fd62c76c0b2893e2146630
SHA256:
8248DB5E80A0B2EDDBAEDABF781196282DC90AC459ED3981C79F438BDCFFC055
File Size:
2.14 MB, 2137547 bytes
|
|
MD5:
5af890ee0a599edd9ca3f633edc699d3
SHA1:
2c3e738c2666d3828bd6b8160eca1f9f3e4e1e12
SHA256:
0264AE3CC90EC8FAA56A5153B7801F9E5F86E2EABDCC5568F64FB68633043888
File Size:
1.96 MB, 1957006 bytes
|
|
MD5:
0b460fc44273a535ec823f1f613e5c6c
SHA1:
1caba232f66d1ea0f39867952fdd713c239ec89c
SHA256:
D9EAA4EB78CE4567DBBCC31AD9C950377DA0112CC2FA40E8BC15FBA85A714763
File Size:
1.90 MB, 1896568 bytes
|
Show More
|
MD5:
c607a4e212f02ef70ca4b287a9d9da43
SHA1:
98d886bb5752ee52f42015ff20cbecf1b3bff98b
SHA256:
A4D137E7191F761640B7E2CF1DE23B557719F7B29E20B8F73D575B9CF45CD4A5
File Size:
6.06 MB, 6064812 bytes
|
|
MD5:
b10601dbdf62923031a9adac864bca5d
SHA1:
56cabd671ef85ee642df7368714da18551eb6e10
SHA256:
CD339F8FAA868A027846A2A57CAA79B282B69556FACEF64A2715831FAEF4928A
File Size:
2.41 MB, 2414423 bytes
|
|
MD5:
061c29e194653c8e0dcf5ac7fcf50f7a
SHA1:
96777095054b6b067c74e46320bfdd9db8cc1896
SHA256:
6410199F7C4DC4022501508E77AD9ED3AEC6E2423F03122ABCA6426489344ABC
File Size:
2.01 MB, 2010538 bytes
|
|
MD5:
f0471b3ec752fbbe2f442df775bc17ca
SHA1:
8a3f56fe159c9513b63d2358510a6612519123dd
SHA256:
7EA5DCFA15991822F08AD23FA68AF47B60EA86C78986340FB99EDEED4B3E283C
File Size:
1.86 MB, 1855020 bytes
|
|
MD5:
d7fde511fc4ff4359106020426d90653
SHA1:
64bd6b1bf237a6f18fe410fee0fec24ce0c2db34
SHA256:
672A0C7EDD66D11208FD23FD48FFEA87CF888966B4EFE7C1FC0467BD92663F6A
File Size:
2.33 MB, 2329853 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have relocations information
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
Show More
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Comments | This installation was built with Inno Setup. |
| Company Name |
|
| File Description |
|
| File Version | 1.0.0.0 |
| Legal Copyright | Copyright |
| Product Name |
|
| Product Version |
|
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 2,300 |
|---|---|
| Potentially Malicious Blocks: | 0 |
| Whitelisted Blocks: | 2,300 |
| Unknown Blocks: | 0 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Farfli.BZ
- Gamehack.QAB
- Kryptik.BBL
- Remcos.AM
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\users\user\appdata\local\temp\is-40v5e.tmp\8a3f56fe159c9513b63d2358510a6612519123dd_0001855020.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-69c6v.tmp\1b4c22cb7cdba8b531fd62c76c0b2893e2146630_0002137547.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-906s3.tmp\96777095054b6b067c74e46320bfdd9db8cc1896_0002010538.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-j1cu1.tmp\8f9a20253c4c6a48668b3a6a909f258b372a0c36_0002103684.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-nq069.tmp\2c3e738c2666d3828bd6b8160eca1f9f3e4e1e12_0001957006.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-qcpo1.tmp\98d886bb5752ee52f42015ff20cbecf1b3bff98b_0006064812.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-rg6a8.tmp\1caba232f66d1ea0f39867952fdd713c239ec89c_0001896568.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-ubull.tmp\64bd6b1bf237a6f18fe410fee0fec24ce0c2db34_0002329853.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-useam.tmp\56cabd671ef85ee642df7368714da18551eb6e10_0002414423.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-vvqd5.tmp\68a3f4ecfbfd4eb3500b3c6e05027e1fde76226a_0002205599.tmp | Generic Write,Read Attributes |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Process Shell Execute |
|
| User Data Access |
|
| Process Manipulation Evasion |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
"C:\Users\Kmptfqsk\AppData\Local\Temp\is-J1CU1.tmp\8f9a20253c4c6a48668b3a6a909f258b372a0c36_0002103684.tmp" /SL5="$20238,1047040,0,c:\users\user\downloads\8f9a20253c4c6a48668b3a6a909f258b372a0c36_0002103684.exe"
|
"C:\Users\Cpsnawua\AppData\Local\Temp\is-VVQD5.tmp\68a3f4ecfbfd4eb3500b3c6e05027e1fde76226a_0002205599.tmp" /SL5="$40224,876032,0,c:\users\user\downloads\68a3f4ecfbfd4eb3500b3c6e05027e1fde76226a_0002205599"
|
"C:\Users\Kulragln\AppData\Local\Temp\is-69C6V.tmp\1b4c22cb7cdba8b531fd62c76c0b2893e2146630_0002137547.tmp" /SL5="$70044,1046016,0,c:\users\user\downloads\1b4c22cb7cdba8b531fd62c76c0b2893e2146630_0002137547"
|
"C:\Users\Chegvwzr\AppData\Local\Temp\is-NQ069.tmp\2c3e738c2666d3828bd6b8160eca1f9f3e4e1e12_0001957006.tmp" /SL5="$90366,904704,0,c:\users\user\downloads\2c3e738c2666d3828bd6b8160eca1f9f3e4e1e12_0001957006"
|
"C:\Users\Nzybypjb\AppData\Local\Temp\is-QCPO1.tmp\98d886bb5752ee52f42015ff20cbecf1b3bff98b_0006064812.tmp" /SL5="$11052A,5302744,721408,c:\users\user\downloads\98d886bb5752ee52f42015ff20cbecf1b3bff98b_0006064812"
|
Show More
"C:\Users\Bdzbdnse\AppData\Local\Temp\is-USEAM.tmp\56cabd671ef85ee642df7368714da18551eb6e10_0002414423.tmp" /SL5="$60276,1046016,0,c:\users\user\downloads\56cabd671ef85ee642df7368714da18551eb6e10_0002414423"
|
"C:\Users\Dtrjjnfl\AppData\Local\Temp\is-906S3.tmp\96777095054b6b067c74e46320bfdd9db8cc1896_0002010538.tmp" /SL5="$5033E,945664,0,c:\users\user\downloads\96777095054b6b067c74e46320bfdd9db8cc1896_0002010538"
|
"C:\Users\Ukfazixt\AppData\Local\Temp\is-40V5E.tmp\8a3f56fe159c9513b63d2358510a6612519123dd_0001855020.tmp" /SL5="$5027C,864768,0,c:\users\user\downloads\8a3f56fe159c9513b63d2358510a6612519123dd_0001855020"
|
"C:\Users\Vqijhpci\AppData\Local\Temp\is-UBULL.tmp\64bd6b1bf237a6f18fe410fee0fec24ce0c2db34_0002329853.tmp" /SL5="$30366,1339392,0,c:\users\user\downloads\64bd6b1bf237a6f18fe410fee0fec24ce0c2db34_0002329853"
|