Trojan.Agent.ANF
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Agent.ANF |
|---|---|
| Signature status: | Self Signed |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
30f4ac8dac74e4e9e79a7e3ba1300c76
SHA1:
70d24b6ea0f2f1bcddb0e6e6ba97d51bbe15fc2b
File Size:
6.26 MB, 6258168 bytes
|
|
MD5:
a0ddd265be0ef6922f40eddfa31f422e
SHA1:
fdad0727dcded2c1e4a4c3a13a3a6f705c2cb880
File Size:
7.98 MB, 7977544 bytes
|
|
MD5:
2029958c24281be21613823585c68487
SHA1:
9a074fdd59cc40c5b4601a014fba1884443fe632
File Size:
7.98 MB, 7977528 bytes
|
|
MD5:
94b596f1188c0915df496e8c0c1b56e7
SHA1:
ef7f406bfcc2d74ac7e367c3e76a08a1bfbbccac
File Size:
7.98 MB, 7977568 bytes
|
|
MD5:
69d38d47dc092557b1d9d15a503cdbde
SHA1:
d9b1e212b117b8e9aaaa1dc4474420932d5a184a
SHA256:
8B06EDA80E2A3455ABA6ED78D7A53FD199D25A25274CE46EFB5F78B282AC8C32
File Size:
6.21 MB, 6214544 bytes
|
Show More
|
MD5:
1d48a04adf3d73db68236b016b031a4c
SHA1:
bd447377f3097318af537155d03e95bfd7ca10e7
SHA256:
308D2E5AD43D7A63BBC4EB9154F72118564160C203CA12CFDFB35CEADF442816
File Size:
6.09 MB, 6094824 bytes
|
|
MD5:
9c314cc716c2893c27291808c8dd67e6
SHA1:
bde45ba55e491013c0a26a5d811b2641d92f1fbe
SHA256:
A86083469195DCBBBFEF5F9381EBCCB612F3D865C3A65AF7F22491813FA0E277
File Size:
6.27 MB, 6265560 bytes
|
|
MD5:
5eac16aedb9969574f88e3166e89f11c
SHA1:
a75a7c5fe2feafaf3d215fa1b749bf2e36e9b6b8
SHA256:
F15421F2FCAEE863E2323A724B997D7275555B7A5AAD58164BA30585859E1967
File Size:
2.11 MB, 2107392 bytes
|
|
MD5:
94f3b49d7b8f36d0504a050393966d99
SHA1:
78ddbf0bad55c30b4b85853408e39be48588eb06
SHA256:
D3A31174483A30A518BA544947AF67A495EB71E5D6FA01110ACDFC8A63BE0794
File Size:
1.98 MB, 1981440 bytes
|
|
MD5:
6d8c8bf204c7e93a2d5b5de209930fca
SHA1:
65b6137433269465521f579f75ee341e68cf0392
SHA256:
D82467AB43370411D9ABBAFC25792F157E0B6C3D41C420077FACF5E5F218A438
File Size:
7.98 MB, 7977520 bytes
|
|
MD5:
3be9855180f69c0ce4b3c33b8f81fb6d
SHA1:
b434450538a24c7107469e088ad13c78d2948d78
SHA256:
217DEB9A08125EDC5260A9A089E298D397649F458F2E1C711D53B6E06842B289
File Size:
2.34 MB, 2342912 bytes
|
|
MD5:
21cb932a5158fd924f4b5015c3901407
SHA1:
ed2048d0ce42f12a9729db90d5257a1eb8544225
SHA256:
BB79C811130F85FC3C7B6B85DF696F533D273A7D0D25E60FCEF76FD749ECE41D
File Size:
611.84 KB, 611840 bytes
|
|
MD5:
dcf58f35bc12a2fad0106a2b1b945763
SHA1:
cca79a395bac93e7ba89abcce9392759e7a7090f
SHA256:
8D5D5C09FFE4DE2CE87855D54F71A271B0B7BA3997C4ABC7EB9EE8EFFE3B45A9
File Size:
1.98 MB, 1982976 bytes
|
|
MD5:
5bae802e06e6af05f2c886b7454af31d
SHA1:
70ac94101365727e929cccec9e4d3d1d1ce582e1
SHA256:
9E9A357C05D37F83037092DD3AD9D8BAFF3F89D4B880FB0DAF73416944BB3F95
File Size:
6.21 MB, 6214472 bytes
|
|
MD5:
3505dc6d119b8aa72a8f12dd0da47ee8
SHA1:
7f02734d25aa7aec220fbf666faaabe0d7f809d3
SHA256:
F9456DE861DE3E9ADFCF9155264496D97460A14B97A0018E01DCBD9272520128
File Size:
2.11 MB, 2107392 bytes
|
|
MD5:
2b474bd4bc27d349bba6014e495b1b52
SHA1:
b2bf114e11e43c4d3f2130236807f0151a943fe7
SHA256:
BE56ECA4FAA9F88EEFD6D4D44F2B3FDCA8876F0C5E91E183EE9C29CFAC9231E5
File Size:
2.11 MB, 2107392 bytes
|
|
MD5:
91509cae3ebd937c60195ee806e7cdfa
SHA1:
a43bf3202463887ec86846ad4ddccce44e3106c7
SHA256:
A01FF741B6698D309D132131EA57B5B38897A7D1434C3DF7037738202E1AA929
File Size:
6.92 MB, 6922576 bytes
|
|
MD5:
3154a30cce46478ff67fe35bb50df7b3
SHA1:
ec9a6b4646ae3ef78909b02f2e3b3949a70b31f0
SHA256:
0237E6ECE653D9D09DDFCFE1CF9A97ED43F732006721F9E5D2FB79756EEE3F0F
File Size:
6.27 MB, 6265584 bytes
|
|
MD5:
bacf61fe26f43ab2e1883d30a7a2f337
SHA1:
4fc74f901676a7907847c9faee89e960748785b8
SHA256:
325752CEBA048F0A522D2212E74D086F55EC5ECA0D56EC3972191C8EDE7AF8E9
File Size:
6.09 MB, 6090592 bytes
|
|
MD5:
258d71b3d19126bdf5a41bd32a9c6da9
SHA1:
a6a5a12e366ab74a626556f64bd9d809152d5486
SHA256:
168B6D38BC5DC3638943C930BCE6FEA77A8144F9D5ED6834ADC868C26E21E933
File Size:
1.98 MB, 1981440 bytes
|
|
MD5:
1fa6063b904af0bf63dc82091eea662b
SHA1:
debe5179709a5461dd5dd56f0ae5c1bcf441f3b8
SHA256:
2B1916C053DC3BCA0B8C4A30F3FB9E94AE688B88597FB14430A69BCA9874F908
File Size:
1.98 MB, 1982976 bytes
|
|
MD5:
0048922c75b72c00eb33712415d71c04
SHA1:
9f94ba381ec9d443e44d766faf11965c243b6b62
SHA256:
7EDDD61DE07A4E6F956E060358AD7D0E98EC88581F4944E2200C0E7E258205DB
File Size:
6.26 MB, 6258136 bytes
|
|
MD5:
22981cdc9a16654a62e73d1e59f290ab
SHA1:
baabdf7d08b51b2512fa968949e40ef786430774
SHA256:
8FED702073DE659F75BDB24384894894811F7A2CF0A1C2C6E73779C24C181EB2
File Size:
1.98 MB, 1981440 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has exports table
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
Show More
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Assembly Version | 1.3.3.0 |
| Comments | PDF concatenation tool for Windows. |
| Company Name |
|
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| Original Filename |
|
| Product Name | ConcatPDF for Windows |
| Product Version |
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Ansatuguemia Backspaced Group | Ansatuguemia Backspaced Group | Self Signed |
| Ansatuguemia Backspaced Group | Ansatuguemia Backspaced Group | Self Signed |
| Economizing Pruning Group | Economizing Pruning Group | Self Signed |
| Exertions Advocacy Group | Exertions Advocacy Group | Self Signed |
| Gaithersburg Buffaloes Group | Gaithersburg Buffaloes Group | Self Signed |
Show More
| IndusSinks Truisms Group | IndusSinks Truisms Group | Self Signed |
| Jostling Zones Group | Jostling Zones Group | Self Signed |
| Lippincott Bulky Group | Lippincott Bulky Group | Self Signed |
| Montague Suspense Group | Montague Suspense Group | Self Signed |
| Organization Spell Group | Organization Spell Group | Self Signed |
| Organization Summoners Group | Organization Summoners Group | Self Signed |
| Participle Unjustified Group | Participle Unjustified Group | Self Signed |
| Patterned Zones Group | Patterned Zones Group | Self Signed |
| Scenery Roder Group | Scenery Roder Group | Self Signed |
File Traits
- dll
- HighEntropy
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 1,032 |
|---|---|
| Potentially Malicious Blocks: | 63 |
| Whitelisted Blocks: | 938 |
| Unknown Blocks: | 31 |
Visual Map
0
0
x
x
x
?
x
0
0
x
x
x
x
x
x
0
x
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
?
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
?
?
x
?
x
?
?
?
?
?
?
x
x
?
x
x
x
x
0
?
?
x
x
x
x
?
?
0
0
0
0
0
0
0
x
x
x
x
0
x
x
x
0
0
1
x
0
x
0
x
?
?
x
x
x
x
?
x
x
?
x
?
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
?
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
?
x
x
x
0
0
0
0
?
?
?
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
1
1
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
1
0
0
1
0
0
0
0
3
1
1
1
1
1
0
0
0
2
0
0
1
0
0
0
2
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
1
1
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
2
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
2
2
0
0
0
1
0
0
0
0
0
0
0
0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.ANF
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\users\user\appdata\local\temp\nsa49d3.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsa49d3.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsa73f3.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsa73f3.tmp\modern-wizard.bmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsa73f3.tmp\nsdialogs.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsaedde.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsaedde.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsbbe93.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsbbe93.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsd999.tmp | Generic Write,Read Attributes |
Show More
| c:\users\user\appdata\local\temp\nsd999.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nse60f3.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nse60f3.tmp\modern-wizard.bmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nse60f3.tmp\nsdialogs.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsf7375.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsf7375.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsg730f.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsg730f.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsga45b.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsga45b.tmp\modern-wizard.bmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsga45b.tmp\nsdialogs.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsh4d01.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsh4d01.tmp\modern-wizard.bmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsh4d01.tmp\nsdialogs.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsh6e7b.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsh6e7b.tmp\modern-wizard.bmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsh6e7b.tmp\nsdialogs.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsi5188.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsi5188.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsia8ee.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsja08.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsja08.tmp\modern-wizard.bmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsja08.tmp\nsdialogs.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsl49d2.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsl7419.tmp\installoptions.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsl7419.tmp\iospecial.ini | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\nsl7419.tmp\iospecial.ini | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsl7419.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsp48ed.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsp48ed.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nspee3c.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nspee3c.tmp\modern-wizard.bmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nspee3c.tmp\nsdialogs.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsq72fe.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsrbf40.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsrbf40.tmp\modern-wizard.bmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsrbf40.tmp\nsdialogs.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nstaa38.tmp\installoptions.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nstaa38.tmp\iospecial.ini | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\nstaa38.tmp\iospecial.ini | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nstaa38.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsu495b.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsu495b.tmp\modern-wizard.bmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsu495b.tmp\nsdialogs.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsu8691.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsu8691.tmp\modern-wizard.bmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsu8691.tmp\nsdialogs.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsva3cd.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsva3cd.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsw6dde.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsw6dde.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsxa8fe.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsxa8fe.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsy51e7.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsy51e7.tmp\modern-wizard.bmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsy51e7.tmp\nsdialogs.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsy6084.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsy6084.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsz8613.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsz8613.tmp | Synchronize,Write Attributes |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Anti Debug |
|
| User Data Access |
|
| Syscall Use |
Show More
|
| Process Shell Execute |
|
| Process Manipulation Evasion |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\a75a7c5fe2feafaf3d215fa1b749bf2e36e9b6b8_0002107392.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\78ddbf0bad55c30b4b85853408e39be48588eb06_0001981440.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\b434450538a24c7107469e088ad13c78d2948d78_0002342912.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\ed2048d0ce42f12a9729db90d5257a1eb8544225_0000611840.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\cca79a395bac93e7ba89abcce9392759e7a7090f_0001982976.,LiQMAxHB
|
Show More
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\7f02734d25aa7aec220fbf666faaabe0d7f809d3_0002107392.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\b2bf114e11e43c4d3f2130236807f0151a943fe7_0002107392.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\a6a5a12e366ab74a626556f64bd9d809152d5486_0001981440.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\debe5179709a5461dd5dd56f0ae5c1bcf441f3b8_0001982976.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\baabdf7d08b51b2512fa968949e40ef786430774_0001981440.,LiQMAxHB
|
