Threat Database Trojans Trojan.Agent.AVBM

Trojan.Agent.AVBM

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.Agent.AVBM
Signature status: No Signature

Known Samples

MD5: d37c890903eddd4cc606c104da823275
SHA1: a9b126cdc85480121a55c2108c440f8e57892f93
SHA256: AB57BCC241D8DB4B4B8C7BE8D5523A27CC4029B27BF15E6292D8D9B4F04FB69F
File Size: 404.48 KB, 404480 bytes
MD5: 2716520f335eba133010b9143cb370d8
SHA1: 82a1d6b0d3340d2a6186c3c7c330feb065707008
SHA256: DC8C3C81A794F1689C7B7187F5D14160F3683A4878000B449D4C472204A0920E
File Size: 404.48 KB, 404480 bytes
MD5: 2954badd174ca31a8e45b33240faa256
SHA1: 99ec82fde70d8580da670d186c138c1d33dcf442
SHA256: D73D7200158FD6BF76BC4DEAEEE2A9B06C74C81BE44B6C8CCBD10886F5A1CDA0
File Size: 404.48 KB, 404480 bytes
MD5: d4366fe1631b6fd54a80e3e6fc947c34
SHA1: d1859f74dd76727ebfdff15715e402bbeca09d9f
SHA256: 970358FE7619BB0037985709270666FCE64620D02A8292F7FF203B21DA39AA4E
File Size: 404.48 KB, 404480 bytes
MD5: 63b34ab1e235ba658c03ff3414202c0b
SHA1: 77a849bc85253334060beec42aa2d5d01f7bb96a
SHA256: F8B4132752CE82F8972FB5BFDA3B4A0601FAC186849F3BE42BA48E4E69CAB4F7
File Size: 404.48 KB, 404480 bytes
Show More
MD5: 0ad179b858c9e7eda2f29578d0d98d3f
SHA1: d343270b62bd21cbd547769b495fd60e76a87b49
SHA256: 44ACD7ADD905D7A0B986F2DAD515BF03B62BE0955AD753A0D0146AE35005801C
File Size: 404.48 KB, 404480 bytes
MD5: 22d4cbbc7167412a5ad0bd127c531be9
SHA1: 6b5761380110882316b4282123e21feb071dfb7b
SHA256: 9BBB8A3EF2B3D714BFB5EC3AD3CF97AC4ADABE1E7713A039BEEA0C16D96919B7
File Size: 1.17 MB, 1166848 bytes
MD5: 57fff3eb619bba880a46e8a9441e40e6
SHA1: 02d9605131efefa2db39447031557eccba435db4
SHA256: 12AA4C246D71E02CE38ACE0B6D3431C1ADE2F7E08D75B7009AB69FC5A72A505C
File Size: 404.48 KB, 404480 bytes
MD5: d52c0d3cf323deac78224e2d5a4776ae
SHA1: 7fee15e579b7cfffccc9608466a26cdb11c0cae1
SHA256: A7308D72798010CB2AB1FC6B0A65BC5B7E50B98270733A74CA1B6D4A384ECE7A
File Size: 404.48 KB, 404480 bytes
MD5: 7e3dbfb1493b72f37a66abeace2acdc6
SHA1: 1169a854877035bc0524f3aea5556da848d0346a
SHA256: DE662148A787BCD19C06C75AAA4B04083C56AA2DD417BF7CB5FFDFA488A4CAEB
File Size: 404.48 KB, 404480 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have security information
  • File has TLS information
  • File is 64-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

Windows PE Version Information

Name Value
File Description RR Service
File Version 11.1.2.9
Original Filename rrpoos.exe
Product Name RR Service
Product Version 11.1.2.9

File Traits

  • CryptUnprotectData
  • fptable
  • No CryptProtectData
  • No Version Info
  • VirtualQueryEx
  • WriteProcessMemory
  • x64

Block Information

Total Blocks: 1,216
Potentially Malicious Blocks: 161
Whitelisted Blocks: 1,053
Unknown Blocks: 2

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x x x x 0 0 0 0 x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x 0 x x 0 0 x x x 0 x x x x 0 0 x x x x x x x 0 x 0 0 x x x 0 x x x x x 0 0 0 0 0 0 x 0 0 x 0 0 0 x 0 0 x 0 x 0 x 0 0 0 0 0 x x x 0 x 0 0 1 x 0 0 0 x x 0 0 x 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 x x x x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x x 0 x x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x x x x ? x 0 0 x x 0 0 ? x x x x x x x 0 0 0 x 0 0 0 0 x 0 x 0 x 0 0 0 0 0 x x x x x x x x 0 x x x x 0 0 x 0 x x x 0 x 0 0 x x 0 x 0 x x 0 0 x 0 0 0 0 x x x x x x x x x x x x x x 0 0 0 x x x x x x x x x x 0 0 0 x x x x x x x x x x x x x x x x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 0 1 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.AVBM
  • Gamehack.GSI
  • PSW.Agent.FBA

Files Modified

File Attributes
c:\users\user\appdata\local\temp\log.txt Generic Write,Read Attributes

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateIoCompletion
Show More
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtPrivilegeCheck
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetThreadState
Service Control
  • StartServiceCtrlDispatcher
Network Winhttp
  • WinHttpConnect
  • WinHttpOpen
  • WinHttpOpenRequest
  • WinHttpReceiveResponse
  • WinHttpSendRequest

Trending

Most Viewed

Loading...