Trojan.Agent.AVBM
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Agent.AVBM |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
d37c890903eddd4cc606c104da823275
SHA1:
a9b126cdc85480121a55c2108c440f8e57892f93
SHA256:
AB57BCC241D8DB4B4B8C7BE8D5523A27CC4029B27BF15E6292D8D9B4F04FB69F
File Size:
404.48 KB, 404480 bytes
|
|
MD5:
2716520f335eba133010b9143cb370d8
SHA1:
82a1d6b0d3340d2a6186c3c7c330feb065707008
SHA256:
DC8C3C81A794F1689C7B7187F5D14160F3683A4878000B449D4C472204A0920E
File Size:
404.48 KB, 404480 bytes
|
|
MD5:
2954badd174ca31a8e45b33240faa256
SHA1:
99ec82fde70d8580da670d186c138c1d33dcf442
SHA256:
D73D7200158FD6BF76BC4DEAEEE2A9B06C74C81BE44B6C8CCBD10886F5A1CDA0
File Size:
404.48 KB, 404480 bytes
|
|
MD5:
d4366fe1631b6fd54a80e3e6fc947c34
SHA1:
d1859f74dd76727ebfdff15715e402bbeca09d9f
SHA256:
970358FE7619BB0037985709270666FCE64620D02A8292F7FF203B21DA39AA4E
File Size:
404.48 KB, 404480 bytes
|
|
MD5:
63b34ab1e235ba658c03ff3414202c0b
SHA1:
77a849bc85253334060beec42aa2d5d01f7bb96a
SHA256:
F8B4132752CE82F8972FB5BFDA3B4A0601FAC186849F3BE42BA48E4E69CAB4F7
File Size:
404.48 KB, 404480 bytes
|
Show More
|
MD5:
0ad179b858c9e7eda2f29578d0d98d3f
SHA1:
d343270b62bd21cbd547769b495fd60e76a87b49
SHA256:
44ACD7ADD905D7A0B986F2DAD515BF03B62BE0955AD753A0D0146AE35005801C
File Size:
404.48 KB, 404480 bytes
|
|
MD5:
22d4cbbc7167412a5ad0bd127c531be9
SHA1:
6b5761380110882316b4282123e21feb071dfb7b
SHA256:
9BBB8A3EF2B3D714BFB5EC3AD3CF97AC4ADABE1E7713A039BEEA0C16D96919B7
File Size:
1.17 MB, 1166848 bytes
|
|
MD5:
57fff3eb619bba880a46e8a9441e40e6
SHA1:
02d9605131efefa2db39447031557eccba435db4
SHA256:
12AA4C246D71E02CE38ACE0B6D3431C1ADE2F7E08D75B7009AB69FC5A72A505C
File Size:
404.48 KB, 404480 bytes
|
|
MD5:
d52c0d3cf323deac78224e2d5a4776ae
SHA1:
7fee15e579b7cfffccc9608466a26cdb11c0cae1
SHA256:
A7308D72798010CB2AB1FC6B0A65BC5B7E50B98270733A74CA1B6D4A384ECE7A
File Size:
404.48 KB, 404480 bytes
|
|
MD5:
7e3dbfb1493b72f37a66abeace2acdc6
SHA1:
1169a854877035bc0524f3aea5556da848d0346a
SHA256:
DE662148A787BCD19C06C75AAA4B04083C56AA2DD417BF7CB5FFDFA488A4CAEB
File Size:
404.48 KB, 404480 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have security information
- File has TLS information
- File is 64-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
Show More
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| File Description | RR Service |
| File Version | 11.1.2.9 |
| Original Filename | rrpoos.exe |
| Product Name | RR Service |
| Product Version | 11.1.2.9 |
File Traits
- CryptUnprotectData
- fptable
- No CryptProtectData
- No Version Info
- VirtualQueryEx
- WriteProcessMemory
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 1,216 |
|---|---|
| Potentially Malicious Blocks: | 161 |
| Whitelisted Blocks: | 1,053 |
| Unknown Blocks: | 2 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
x
x
x
0
0
0
0
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
0
x
x
0
0
x
x
x
0
x
x
x
x
0
0
x
x
x
x
x
x
x
0
x
0
0
x
x
x
0
x
x
x
x
x
0
0
0
0
0
0
x
0
0
x
0
0
0
x
0
0
x
0
x
0
x
0
0
0
0
0
x
x
x
0
x
0
0
1
x
0
0
0
x
x
0
0
x
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
x
x
x
x
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
x
0
x
x
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
?
x
0
0
x
x
0
0
?
x
x
x
x
x
x
x
0
0
0
x
0
0
0
0
x
0
x
0
x
0
0
0
0
0
x
x
x
x
x
x
x
x
0
x
x
x
x
0
0
x
0
x
x
x
0
x
0
0
x
x
0
x
0
x
x
0
0
x
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
x
x
x
x
x
x
x
x
x
x
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
1
0
1
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.AVBM
- Gamehack.GSI
- PSW.Agent.FBA
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\users\user\appdata\local\temp\log.txt | Generic Write,Read Attributes |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
| Service Control |
|
| Network Winhttp |
|
