PUP.WinVNC
Table of Contents
Analysis Report
General information
| Family Name: | PUP.WinVNC |
|---|---|
| Packers: | UPX |
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
6b657a50ad20cc70ca97e43bb4ea6c88
SHA1:
db3f350b3a730c119f6a95586d9375571d2414de
File Size:
1.25 MB, 1250304 bytes
|
|
MD5:
a4b077245c32e797cb91d9c83687822a
SHA1:
8328f57be487ccf97bb1b140624208b4737efd76
SHA256:
95138901D6C2CE6EC846AD7D21F4550C638A5C3DB32DE15C24A1BA4B5BB4CBD5
File Size:
954.88 KB, 954880 bytes
|
|
MD5:
5487bdab899600f3aa198e7386f01db4
SHA1:
3a2d525ac82966a05d7c93a6efd9f2fc92e83022
SHA256:
137B86FE133DB39EC3CF52526934120E034E0DE309BB5362111FE4C05B4E2B45
File Size:
1.02 MB, 1021760 bytes
|
|
MD5:
672c2573e78c4a6b799571330383f040
SHA1:
2f5b6bd208fcab226a09fe2689066b040827bf82
SHA256:
5C747B0C9A108873A834E09C28D2147B3B03F5B8D1E8884C51DF29E82C46CFE9
File Size:
690.70 KB, 690695 bytes
|
|
MD5:
010aaf0f2b5000b6a19362cc32931f2a
SHA1:
42fc61d16e3e22e108a362c4d40940ff0ce82403
SHA256:
FFAA91AA70F6AEF9746357953D46BB35A2105C2FBB4CB064EB6609870B882F21
File Size:
1.93 MB, 1933586 bytes
|
Show More
|
MD5:
71fd09a269a468c77e3619b91bad7795
SHA1:
70dc65f31f87624e84d2c8eea31fc10d730a1ba5
SHA256:
E34E55726EBE0D438E0ABEC108A80E8C99E0C3A0C6B3C5B20B8F041D5EFA8167
File Size:
2.72 MB, 2720256 bytes
|
|
MD5:
5fe167b3eab80f17b25b772ed5239861
SHA1:
9b43ceb2e2d069244283ec3654d857f38628e594
SHA256:
0FBB3795AD70021914CADDBD5AF83836CE8937F7A0C3777F953DC8B697EA9104
File Size:
1.84 MB, 1837056 bytes
|
|
MD5:
ad77262a8d324342a7cabec6d33ffcbf
SHA1:
a14a9d50d7344c26e9b4e72ccefb1e91c0af4e88
SHA256:
0ADD536CADA9C01F6766EC598181380A1B6E524D5FCD055289EADC83B67E78F9
File Size:
301.21 KB, 301213 bytes
|
|
MD5:
4a8cff557421b6f2873a3d02b2f8c755
SHA1:
f3d3eb3c7eda19b504464f8c103f3bd704b78991
SHA256:
9CB7065BBF8190E63C7E1488852C3928B722DC3ED5179147A7F5AB9EC8D53BA5
File Size:
1.00 MB, 1000085 bytes
|
|
MD5:
9286d21674858d1c5197ddba6fbb81e7
SHA1:
7adef33a2913cc1ccfcc94b9b580c0c5a1591d46
SHA256:
18E984A1799A45352369D592E0943ADAAE0B8D367FB7F72B3081A6F86C7635E6
File Size:
5.71 MB, 5707070 bytes
|
|
MD5:
6f67f68b52345788e7c1e49db69cbe91
SHA1:
5160998fbbad458bf32e8399fc7873d8c2f77781
SHA256:
DDFA56EF98AC932C3DB7134A2009AD1DD68754B23AFCCA3CCBD1D40C44DC3147
File Size:
705.61 KB, 705605 bytes
|
|
MD5:
6bf75c93ab93892e2f949dee1a4e7836
SHA1:
9f9ef8e5be0e6aa6d405bddf01793611ef9e4e21
SHA256:
4FF14969665DA11E45F88F3C552DBFEB53EC1DC46B74E18269A94A18F48B0622
File Size:
924.65 KB, 924649 bytes
|
|
MD5:
6a0990621be1309bc547c49a964deb3b
SHA1:
ac2bc8c37a65a7561a0ba4e5d5aca87c917f87a5
SHA256:
5F79864B249848F688D726D593F751271E6D673E2786DA53C17469CB121B457B
File Size:
1.40 MB, 1396969 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has been packed
- File has exports table
- File has TLS information
- File is 32-bit executable
- File is 64-bit executable
Show More
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.Show More
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Comments |
|
| Company Name |
|
| Compiled Script |
|
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| Legal Trademarks | VNC |
| Original Filename |
|
| Product Name |
|
| Product Version |
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| uvnc bvba | GlobalSign Primary Object Publishing CA | Hash Mismatch |
File Traits
- 2+ executable sections
- Autoit
- big overlay
- HighEntropy
- Inno
- InnoSetup Installer
- Installer Manifest
- Installer Version
- packed
- WriteProcessMemory
Show More
- x64
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 1,570 |
|---|---|
| Potentially Malicious Blocks: | 0 |
| Whitelisted Blocks: | 1,570 |
| Unknown Blocks: | 0 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
1
0
0
0
1
0
0
0
1
0
0
0
0
1
0
0
0
1
0
0
1
1
0
0
0
0
1
0
0
1
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
1
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
2
2
2
3
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
1
0
0
1
0
0
1
0
0
1
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
1
0
0
0
0
0
0
0
1
0
0
1
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
1
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Autoit
- Delf.Q
- Dropper.Delf.CF
- Filecoder.DF
- Injector.AJA
Show More
- Morto.B
- Philadelphia.A
- Philadelphia.B
- Softcnapp.N
- Trojan.Kryptik.Gen.EZ
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\namedpipe\gmdasllogger | Generic Write,Read Attributes |
| c:\iproremote\setup\daueronline.bat | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\suporte hypercomp\icon2.ico | Generic Write,Read Attributes |
| c:\users\user\appdata\local\suporte hypercomp\lang_portuguese.ini | Generic Write,Read Attributes |
| c:\users\user\appdata\local\suporte hypercomp\logo.ico | Generic Write,Read Attributes |
| c:\users\user\appdata\local\suporte hypercomp\logo.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\suporte hypercomp\noimage.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\suporte hypercomp\scprompt.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\suporte hypercomp\scprompt.ini | Generic Write,Read Attributes |
| c:\users\user\appdata\local\suporte hypercomp\ultravnc.ini | Generic Write,Read Attributes |
Show More
| c:\users\user\appdata\local\suporte hypercomp\vnchooks.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\suporte hypercomp\winvnc.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\icon1.ico | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\icon1.ico | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\icon2.ico | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\icon2.ico | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\license.txt | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\license.txt | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\logo.ico | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\logo.ico | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\logo.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\logo.jpg | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\logo.maljpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\logo.maljpg | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\msrc4plugin.dsm | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\msrc4plugin.dsm | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\noimage.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\noimage.jpg | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\qc_skin_bg.gif | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\qc_skin_bg.gif | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\qc_skin_border.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\qc_skin_border.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\schook.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\schook.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\scprompt.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\scprompt.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\scprompt.ini | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\scprompt.ini | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\scprompt.ini | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\scprompt.ini.bak | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\scprompt.ini.bak | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\scprompt_example.ini | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\scprompt_example.ini | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\ultravnc.ini | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\ultravnc.ini | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\v2m_lang.ini | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\v2m_lang.ini | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\v2m_lang.ini.bak | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\v2m_lang.ini.bak | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\vnchooks.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\vnchooks.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\winvnc.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs3129.tmp\scprompt\winvnc.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zsa67c.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zsa67c.tmp\scprompt | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zsa67c.tmp\scprompt\icon1.ico | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zsa67c.tmp\scprompt\icon1.ico | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zsa67c.tmp\scprompt\icon2.ico | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zsa67c.tmp\scprompt\icon2.ico | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zsa67c.tmp\scprompt\logo.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zsa67c.tmp\scprompt\logo.jpg | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zsa67c.tmp\scprompt\schook.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zsa67c.tmp\scprompt\schook.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zsa67c.tmp\scprompt\scprompt.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zsa67c.tmp\scprompt\scprompt.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zsa67c.tmp\scprompt\scprompt.ini | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\7zsa67c.tmp\scprompt\scprompt.ini | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zsa67c.tmp\scprompt\scprompt.ini | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zsa67c.tmp\scprompt\start.bat | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zsa67c.tmp\scprompt\start.bat | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zsa67c.tmp\scprompt\ultravnc.ini | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zsa67c.tmp\scprompt\ultravnc.ini | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zsa67c.tmp\scprompt\uvnc.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zsa67c.tmp\scprompt\uvnc.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zsa67c.tmp\scprompt\v2m_lang.ini | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zsa67c.tmp\scprompt\v2m_lang.ini | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\auta989.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\auta99a.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\auta9ba.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\autaa19.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\autaa39.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\autaa49.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\autaa5a.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\autaa6b.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\autaa7b.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\chunkvnc_temp_files\cad.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\chunkvnc_temp_files\cad.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\chunkvnc_temp_files\chunkvnc.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\chunkvnc_temp_files\chunkvnc.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\chunkvnc_temp_files\chunkvnc.ini | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\chunkvnc_temp_files\chunkvnc.ini | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\chunkvnc_temp_files\instantsupportvnc.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\chunkvnc_temp_files\instantsupportvnc.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\chunkvnc_temp_files\logo.jpg | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\chunkvnc_temp_files\logo.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\chunkvnc_temp_files\msrc4plugin.dsm | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\chunkvnc_temp_files\msrc4plugin.dsm | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\chunkvnc_temp_files\rc4.key | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\chunkvnc_temp_files\rc4.key | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\chunkvnc_temp_files\schook.dll | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\chunkvnc_temp_files\schook.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\chunkvnc_temp_files\ultravnc.ini | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\chunkvnc_temp_files\ultravnc.ini | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsaedde.tmp\advsplash.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsaedde.tmp\splash.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0 | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\__tmp_rar_sfx_access_check_2356718 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\rarsfx0\modules | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\modules | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\modules\api_usbfix.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\modules\api_usbfix.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\account-over.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\account-over.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\account.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\account.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\angle-149.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\angle-149.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\angle.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\angle.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\angle2.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\angle2.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\apply.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\apply.jpg | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\apply2.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\apply2.jpg | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\applyover.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\applyover.jpg | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\arrow_left.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\arrow_left.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\autoclean.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\autoclean.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\autovaccine.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\autovaccine.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\bg-buton.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\bg-buton.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\bg-footer-768x70.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\bg-footer-768x70.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\bitdefender-2015.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\bitdefender-2015.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\bitdefender-en-1.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\bitdefender-en-1.jpg | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\bitdefender-en-3.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\bitdefender-en-3.jpg | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\bitdefender-fr-1.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\bitdefender-fr-1.jpg | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\bitdefender-fr-2.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\bitdefender-fr-2.jpg | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\bitdefender-texte.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\bitdefender-texte.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\bitdefender-texte_en.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\bitdefender-texte_en.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\brngscan.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\brngscan.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\bug.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\bug.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\center direction-50.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\center direction-50.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\center direction-64.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\center direction-64.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\checked-40.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\checked-40.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\checkout-64.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\checkout-64.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\computer-64.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\computer-64.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\detected.ico | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\detected.ico | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\domain-50.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\domain-50.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\donate.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\donate.jpg | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\donateover.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\donateover.jpg | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\encart-bitdefender-en.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\encart-bitdefender-en.jpg | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\encart-bitdefender-en.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\encart-bitdefender-en.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\encart-bitdefender-fr.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\encart-bitdefender-fr.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\eula-en.txt | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\eula-en.txt | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\eula.txt | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\eula.txt | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\exit-64.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\exit-64.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\facebook.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\facebook.jpg | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\facebookover.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\facebookover.jpg | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\fastscan.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\fastscan.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\folder.ico | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\folder.ico | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\folder.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\folder.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\res\forum.jpg | Generic Write,Read Attributes |
212 additional files are not displayed above.
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKCU\software\microsoft\internet explorer\main::operationaldata | RegNtPreCreateKey | |
| HKCU\software\usbfix::langage | EN | RegNtPreCreateKey |
| HKCU\software\usbfix::optiondisableautoplay | RegNtPreCreateKey | |
| HKCU\software\usbfix::optionmakelisting | RegNtPreCreateKey | |
| HKCU\software\usbfix::listing+ | RegNtPreCreateKey | |
| HKCU\software\usbfix::bbcode | BBCode | RegNtPreCreateKey |
| HKCU\software\usbfix::ini | RegNtPreCreateKey | |
| HKCU\software\usbfix::upok | RegNtPreCreateKey | |
| HKCU\software\usbfix::wsh | RegNtPreCreateKey | |
| HKCU\software\usbfix::autorun | RegNtPreCreateKey |
Show More
| HKLM\software\wow6432node\microsoft\windows script host\settings::enabled | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows script host\settings::enabled | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows script host\settings::enabled | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows\currentversion\policies\system::promptonsecuredesktop_v2m | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows\currentversion\policies\system::promptonsecuredesktop | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows\currentversion\policies\system::consentpromptbehavioradmin_v2m | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows\currentversion\policies\system::consentpromptbehavioradmin | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
53 additional items are not displayed above. |
| Anti Debug |
|
| User Data Access |
|
| Process Shell Execute |
|
| Network Winsock2 |
|
| Network Winsock |
|
| Process Manipulation Evasion |
|
| Service Control |
|
| Keyboard Access |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\Program Files\uvnc bvba\ultravnc\winvnc.exe
|
C:\Program Files\Internet Explorer\iexplore.exe www.iplus.carlcomms.com/utils/RealVNC-install.exe
|
c:\users\user\downloads\xdmcp\xdmcp.exe
|
C:\Users\Fzyiqkmd\AppData\Local\Suporte Hypercomp\scprompt.exe
|
C:\Program Files\VNC\winvnc.exe
|
Show More
.\scprompt\scprompt.exe
|
(NULL) C:\Users\Walgkqxz\AppData\Local\Temp\RarSFX0\UsbFix.exe
|
.\scprompt\scprompt
|
open C:\Users\Galjurfy\AppData\Local\Temp\ChunkVNC_Temp_Files\InstantSupportVNC.exe -autoreconnect ID:881666 -connect 82.139.132.246:5500 -run
|