Trojan.Agent.DFCF
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Agent.DFCF |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
c671bfc634c96a8e28f650b08362877f
SHA1:
2a5406d245cf1f2c65b3990fbb4bb7e773b89300
SHA256:
1D8701AD41EFDD09E891746A56F8ABCDD457D6FE4ABC76B6C4466D724F3CB3E7
File Size:
2.40 MB, 2400256 bytes
|
|
MD5:
87e575ebefbe82a8dcb4735fe62d49c8
SHA1:
ca0c8e12dfdf5b00e7d399841ef51ca6571c60d9
SHA256:
26D35DAB5514132671D904227E1B2306054138B3E84FE04BF6B7AF1C0BFE0505
File Size:
2.64 MB, 2640896 bytes
|
|
MD5:
73017a946541104af5903290d4d3f9dd
SHA1:
05c16c847dc8d925448925d84d6c4b4f5c85f6c0
SHA256:
4C9575029ACAFD02ACA98BBD884686F5F2EA903918BE9EA68E853C4BC04260E1
File Size:
3.66 MB, 3655168 bytes
|
|
MD5:
f8d41b60216a56bfed47690f65c9c315
SHA1:
94a5ef17707691abcb81e5f55bc0ef097d1dab0c
SHA256:
E00C7790DA0604D7DF5D7E1BDD800066F989C801FA95D2F568300AA8ABFB75D4
File Size:
2.75 MB, 2751488 bytes
|
|
MD5:
b959fe2f4d0457a9441d960913881cc1
SHA1:
bb2e58a3c61775c2c5e6e5fa48ef46b19fcf7552
SHA256:
1068911710327456774747B9CDD414F6182B9FEC3557EE6C88418BC603C4C128
File Size:
1.90 MB, 1903104 bytes
|
Show More
|
MD5:
ae9cb7e4b3867729750c576526064373
SHA1:
252989970eb02457378c1127cc3df6d66ade3434
SHA256:
D78AE00FB6999A4E5E8C08A305D2F9871A9F1FF4851238FC77AE7827F7135017
File Size:
3.85 MB, 3848192 bytes
|
|
MD5:
0656d064b650e0654102976a425bdb9a
SHA1:
53a86da945f5e32652c2eccc74be63fa18253c26
SHA256:
6B4FDD87065548BF0E314F7B4C46197663786143087A6F9FDF3E2E833C03ECBF
File Size:
2.74 MB, 2738688 bytes
|
|
MD5:
e6c725910a0664e8843aae6df206e28c
SHA1:
b62249ba4312f7ea96de843af119e0d5968130dd
SHA256:
C4BDEFA5D145A05730541A275E53630400DCFE8B90CA850F86265C2437590B55
File Size:
3.69 MB, 3685888 bytes
|
|
MD5:
3f09aecfed3dc2d8f19d7f7aae58ff12
SHA1:
95329d2e579c07dd91043c4ff46353845fc3a11c
SHA256:
28894A42314CED65BB4A75670ED900287FA09AA9D094EFA8BE95D7D28972ECD9
File Size:
4.31 MB, 4314112 bytes
|
|
MD5:
7c5b0de62bee7e72b0a264d2bc101364
SHA1:
35e2f0812ac22d80837886567c68ca4f69f3d05a
SHA256:
B9B46EC217FE3CA1BB8A67E67D6C88E1510FA5E5C45DF6B3F1C2F3796CD2B133
File Size:
2.56 MB, 2562560 bytes
|
|
MD5:
691dec05232963fc279fbe230a50c481
SHA1:
ff63b5ef5666ef330522ad105caee39dcd05aad4
SHA256:
8B90665006BC1DA66104A61F723FB95AD5886E58867B5EC752581EDE3C1093B8
File Size:
1.94 MB, 1939968 bytes
|
|
MD5:
f2fb5cdc54a1e1d5b01f2114f8dc0813
SHA1:
33c85532cc755fa7eab2ca303d0a5897807a272f
SHA256:
F5C2B50452F8DFCC87714FBE0BF9F23B96AB6FEF002C179EA40D3B8F90BEC759
File Size:
1.39 MB, 1385984 bytes
|
|
MD5:
df8827c3eb49dda23bb4fe8ea8e83804
SHA1:
594e7a4d484560235a291404f4e57eaa55732099
SHA256:
4F149E2BCE42A787C34AF36A97851748B9C69D4928EFAEAD0572A92FBFEB5C22
File Size:
1.77 MB, 1766912 bytes
|
|
MD5:
7fa4439f492c5e8f3be9f0eacb438aa1
SHA1:
379222cfc560eda0dd365cedb3fa766956dd3310
SHA256:
9DD5E4635506CF8B7525E6DBBDBC85EB9C0C830D75AC5687AA3EA9135639EC0F
File Size:
2.88 MB, 2881536 bytes
|
|
MD5:
bf96defc1250b44dfd49bf002986f383
SHA1:
df3b4fc2d9f8c8999424a30f2a8b89a4016c34c5
SHA256:
0243AB4D718EABD5D24D046508670EF4C4B5715D12D5E92A086226F165EB2AB4
File Size:
3.18 MB, 3181056 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 64-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
Show More
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Assembly Version |
|
| Comments | Алматы Оптимизатор Процессов для оптимизации рабочих процессов |
| Company Name |
Show More
|
| File Description |
Show More
|
| File Version |
Show More
|
| Internal Name |
Show More
|
| Legal Copyright |
Show More
|
| Original Filename |
Show More
|
| Product Name |
Show More
|
| Product Version |
Show More
|
File Traits
- CryptUnprotectData
- dll
- HighEntropy
- VirtualAllocExNuma
- WriteProcessMemory
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 10,024 |
|---|---|
| Potentially Malicious Blocks: | 211 |
| Whitelisted Blocks: | 9,797 |
| Unknown Blocks: | 16 |
Visual Map
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
?
?
0
?
0
?
0
?
?
0
x
x
0
?
0
x
0
0
x
x
0
?
0
x
?
0
x
?
0
x
0
x
x
x
0
x
x
x
x
x
x
x
0
x
x
0
?
?
?
?
?
x
0
0
x
x
0
x
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
0
x
x
x
0
x
x
0
x
x
0
x
x
x
0
0
0
0
0
0
0
0
0
0
x
x
0
x
x
x
0
x
0
0
x
0
x
x
0
0
x
0
x
0
0
x
x
x
0
x
x
0
x
x
x
0
0
x
x
x
x
0
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
x
x
0
0
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
0
x
x
0
x
x
x
x
x
x
x
0
x
x
x
x
x
x
0
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.DFCF
- Agent.DFCG
- Agent.DFD
- Agent.DFW
- Agent.FGDS
Show More
- Agent.FGDT
- Agent.KOK
- AgentTesla.P
- AgentTesla.PA
- AgentTesla.PAA
- BypassUAC.AY
- Filecoder.XI
- Kryptik.OIB
- Kryptik.OID
- Kryptik.OIF
- Kryptik.PSB
- Kryptik.YKAC
- SnakeLogger.C
- SnakeStealer.A
- Trojan.Downloader.Gen.GJ
- XLoader.A
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
2 additional items are not displayed above. |
