Trojan.Agent.FSB
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Agent.FSB |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
a25a0b24682b8b21602d020b2d2d37fc
SHA1:
cbb7e5ee9b0b056b35bbcf8f233b3cbac1e26fed
SHA256:
C5C302AC7328A6EA059377AE1853E7606F4DFB254372041730E3C0C9C7A5A286
File Size:
1.76 MB, 1764864 bytes
|
|
MD5:
a2d805821676e410844fd3d0094adb46
SHA1:
479c97787d2e030fff7a562f74a66e69f05d7b38
SHA256:
26DAC5B2B6BB5E6ECC0DE7DC3A325955B853AAC9FD7DC2B82FF80C1088AF17D1
File Size:
1.76 MB, 1764864 bytes
|
|
MD5:
4a432eceb93700d7737d2064109f826f
SHA1:
d1feaa34d55c2c04c49a0559b22da2b73128f376
SHA256:
5B78217BCC254D3FBDFA8C76348D8219137CCD730B1285BD1DC0A10981C679A4
File Size:
3.10 MB, 3100672 bytes
|
|
MD5:
854c432d77c4ea56a9eb4b51b5d074c5
SHA1:
d390c1d107c38582f000ffafff55efa05fe13a7e
SHA256:
CD5C6D84DA7CAA6E330A6D2AD222327C805B174C414634B76DB7CBBA30C06E9C
File Size:
3.04 MB, 3036552 bytes
|
|
MD5:
c989ca0af656aca9530a5defea4eef03
SHA1:
cdbc30a83b95043946e45accb674c7fe1f6e2643
SHA256:
0EB087AB793E840C3515281E6B220686A8ADE86AE1AB572627A3B7F18A1209EA
File Size:
2.97 MB, 2969600 bytes
|
Show More
|
MD5:
e0a1e1497be4b8b6f8213d983ad93869
SHA1:
42ee7128dda33182f8b1cc8ba6b08ef470166074
SHA256:
4888B856BAA3BC25E03EA05AC02B02C02D0E8E71F082638C215F7EB38FD975CE
File Size:
1.76 MB, 1764864 bytes
|
|
MD5:
aed36b5c19597f1398cea5148e699190
SHA1:
f47707449b411599a1653cadce8f82b1b3df0e2e
SHA256:
442F10423E8B91EFD0183A51DD6146EE8861456147AA1D6B36AAF92E6AC45A7C
File Size:
2.87 MB, 2868616 bytes
|
|
MD5:
d4e10067256d0f7078af4eca29f60df5
SHA1:
eea0744271208439ad73dad77d6b278c82495989
SHA256:
5AB634A4769C7FC11752FD8E57DA1B89B283898DC525191C2E0522740A53F454
File Size:
2.96 MB, 2958728 bytes
|
|
MD5:
40df8cf9d4e5ca88f0ccfd8307200ac8
SHA1:
442a2819d341fca2b61b6e151c0ddb7d2eb80a86
SHA256:
3CB11CEB387CE13DD3B9EA455C03CACF122579B79D9B6A5D999A172405489E6F
File Size:
2.16 MB, 2157184 bytes
|
|
MD5:
2f8e47bbb8f3551c5024e125606aad60
SHA1:
55d131635b3d3bcf19db4a3a36c79956b3a87615
SHA256:
685CEBF4E1E97BE10477DAC69E68E8BC67CE857AFD030E8526FFDD5C0B5E248D
File Size:
1.99 MB, 1993046 bytes
|
|
MD5:
5d81e8c99df3c1e1be34bd2e2230dc9b
SHA1:
a6b7ab2f834891a7cfc20db477a92d9b8b27df69
SHA256:
57CD2FB76A8D9D7B6BED27511A7F4C390AFA1365557205750E3CB87982BB6FB1
File Size:
1.76 MB, 1764864 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name |
|
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| Original Filename |
|
| Product Name |
|
| Product Version |
|
| Special Build |
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Symantec Corporation | VeriSign Class 3 Code Signing 2004 CA | Hash Mismatch |
File Traits
- 2+ executable sections
- big overlay
- HighEntropy
- SusSec
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 13,577 |
|---|---|
| Potentially Malicious Blocks: | 7,700 |
| Whitelisted Blocks: | 5,877 |
| Unknown Blocks: | 0 |
Visual Map
x
0
0
0
0
0
0
0
0
x
x
x
x
x
0
x
0
x
x
x
x
0
x
0
x
x
x
x
x
0
x
x
0
x
x
0
x
0
x
x
x
x
0
x
0
0
x
0
0
x
x
0
x
0
x
x
0
0
x
0
x
0
x
x
0
x
0
0
x
x
0
x
0
x
x
x
0
x
0
0
0
x
x
x
x
x
0
0
x
0
0
x
0
x
0
0
0
0
0
x
x
x
0
x
0
0
0
x
x
x
x
0
x
0
x
0
x
x
x
x
x
0
x
x
x
x
x
0
x
x
x
x
x
x
0
x
0
x
x
x
0
0
0
0
0
0
0
0
x
x
0
x
0
0
0
0
x
0
x
x
x
0
x
0
0
x
x
0
x
x
0
0
x
x
0
0
0
x
0
0
0
0
x
x
x
x
x
x
0
x
x
0
0
x
x
x
x
0
x
0
0
0
x
x
x
x
x
x
0
x
x
x
0
0
x
0
0
x
x
x
x
0
0
x
x
0
x
x
x
0
0
0
x
0
0
x
x
0
0
x
x
x
x
x
x
x
x
0
x
x
x
0
x
x
x
0
x
0
0
0
0
0
0
0
0
x
x
0
x
x
0
x
0
0
x
0
x
0
x
0
0
0
x
0
x
x
0
0
0
0
0
0
0
0
0
x
x
x
0
0
x
0
0
x
x
x
0
x
x
0
0
0
0
0
0
0
x
0
x
x
0
x
x
x
x
0
0
0
0
x
x
x
x
x
x
x
0
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
0
x
0
x
0
x
0
x
x
0
x
0
0
x
x
0
x
0
0
x
x
0
x
x
0
0
0
0
0
0
x
0
x
0
0
0
0
0
x
x
x
x
x
x
x
x
0
0
0
x
x
0
0
x
0
x
x
x
x
x
x
x
x
x
0
x
0
x
0
x
x
x
x
0
x
x
0
0
0
0
x
0
x
0
0
x
x
x
x
x
x
x
0
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
x
0
x
x
x
x
x
0
0
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
x
0
0
0
0
0
x
0
x
0
x
0
x
x
0
x
0
x
x
x
0
x
x
0
x
0
x
x
0
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
0
0
x
0
0
x
0
0
x
0
x
0
x
0
0
x
x
x
0
x
x
0
x
x
x
x
0
x
x
0
x
x
x
x
x
0
0
0
0
x
0
x
x
x
x
0
0
0
0
0
0
0
x
0
x
x
x
x
x
x
x
x
0
0
x
x
x
x
x
x
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
x
x
x
x
0
x
x
x
x
x
x
x
0
0
x
x
0
x
x
x
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
x
x
0
x
x
x
x
x
x
x
x
x
0
x
0
x
x
0
0
x
x
0
0
0
x
0
0
x
0
0
0
x
x
0
0
x
0
x
0
x
x
x
x
x
x
0
0
x
x
x
0
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
0
x
0
0
0
x
x
0
0
0
0
0
0
0
0
0
x
0
0
x
x
x
0
0
0
0
0
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
x
0
0
x
0
0
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
0
0
0
x
x
x
0
0
x
0
0
0
0
x
0
x
x
0
x
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
x
0
x
0
x
0
0
x
x
0
x
x
x
0
x
x
0
0
x
x
0
x
0
0
0
x
x
x
x
x
x
x
0
x
0
0
0
0
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
0
x
x
x
x
0
0
0
0
0
x
x
0
x
0
0
x
0
x
x
x
0
x
x
x
0
x
x
0
x
0
x
x
0
x
x
0
x
x
x
0
x
0
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
0
x
x
x
x
x
x
x
0
x
x
x
x
x
0
0
0
0
0
x
x
0
x
0
0
x
0
x
0
0
0
0
x
x
0
0
x
x
0
0
x
0
0
x
x
x
x
0
x
0
x
0
0
x
x
x
x
x
x
x
x
x
x
0
x
x
0
x
0
x
x
x
0
x
x
0
x
x
x
x
x
0
0
0
0
0
0
x
0
0
0
0
0
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
x
x
0
0
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
0
x
x
0
x
0
0
0
x
0
x
0
x
x
x
0
x
0
0
x
x
0
x
x
x
0
x
x
x
x
x
x
x
0
x
x
x
0
x
x
x
x
x
0
x
0
0
0
0
0
x
0
x
x
x
x
x
0
0
x
x
x
x
x
0
x
x
x
x
x
x
x
x
0
0
x
x
0
x
0
x
x
x
x
x
x
x
x
0
x
x
0
x
x
x
x
0
x
x
x
0
0
0
0
0
x
x
x
x
x
x
x
x
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
x
x
x
x
x
0
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
x
x
x
0
0
0
0
x
x
x
0
x
0
0
x
x
0
x
0
x
x
0
0
0
x
0
0
0
0
x
x
x
x
x
x
x
0
x
x
x
x
x
x
0
0
x
x
0
0
0
0
x
0
x
x
x
x
x
0
x
0
x
0
x
0
x
x
x
x
0
x
x
x
0
x
x
0
0
0
x
0
0
0
0
0
0
0
0
x
0
0
0
x
x
x
0
0
0
0
0
x
0
x
0
x
x
x
0
0
x
x
x
0
0
0
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
0
0
x
x
x
0
0
0
0
x
x
x
x
x
0
0
x
x
x
x
x
0
x
0
x
0
0
x
x
x
x
x
x
x
x
0
x
x
0
0
x
x
0
0
0
0
x
x
0
0
x
x
x
x
x
x
x
x
x
x
x
0
0
x
x
x
x
0
x
x
0
0
x
x
x
0
x
x
0
x
0
x
x
x
0
x
x
x
x
x
0
x
0
x
0
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
x
x
x
x
x
0
0
x
x
x
x
x
0
x
x
x
0
0
x
0
x
0
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
0
x
x
x
0
x
x
x
0
0
0
x
x
x
x
x
x
0
0
x
x
x
x
0
x
0
x
x
x
x
0
0
x
x
x
0
0
0
x
0
0
0
0
0
x
x
0
x
x
0
0
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
x
0
x
x
x
x
0
x
0
0
x
x
x
x
x
x
x
x
x
x
x
0
x
x
0
x
0
x
x
x
x
x
x
x
x
x
0
x
x
0
x
0
0
0
0
x
x
x
x
x
0
x
x
x
x
0
x
x
x
x
0
x
x
x
0
0
0
x
0
0
x
0
0
0
0
0
0
x
x
x
0
x
x
x
x
x
0
x
x
x
x
0
x
x
x
0
x
0
x
x
x
x
x
0
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
0
x
x
x
0
0
x
x
x
x
0
x
0
x
x
x
x
x
0
0
0
0
x
x
0
0
x
x
x
x
x
x
x
x
x
x
x
x
0
x
0
x
x
x
x
x
x
x
0
x
x
x
x
x
0
0
x
x
x
x
x
0
x
x
x
0
0
x
x
0
x
x
0
0
x
x
0
0
x
x
0
x
0
0
0
x
x
x
x
x
x
x
0
x
x
x
x
0
x
x
x
0
x
0
x
0
x
x
0
x
0
x
x
x
x
x
x
x
x
0
0
0
x
x
x
0
x
0
x
0
x
x
x
x
x
x
0
0
x
0
x
x
x
x
x
0
0
0
0
x
0
x
x
0
x
0
0
x
x
x
x
x
0
0
x
0
x
x
x
0
x
x
x
x
0
x
x
0
0
x
x
x
x
x
x
x
x
0
0
0
x
x
x
x
0
x
x
x
0
0
0
x
0
0
x
x
x
0
0
x
0
x
x
x
x
x
x
x
x
x
x
0
0
0
x
0
x
x
0
0
x
x
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
x
x
x
0
0
x
x
x
x
x
x
x
0
x
x
0
x
x
x
x
x
0
x
x
x
x
x
x
0
0
0
x
x
0
0
x
0
x
0
x
0
x
0
x
0
x
x
x
x
x
x
x
0
x
x
x
x
x
0
x
x
x
x
0
x
0
x
x
x
0
0
x
0
x
x
x
x
0
0
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
0
0
0
x
x
x
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.FSB
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \\?\volume{a7c706ea-0000-0000-0000-100000000000} | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| \\?\volume{a7c706ea-0000-0000-0000-50e01f000000} | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| \device\namedpipe\dav rpc service | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| \device\namedpipe\wkssvc | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c: | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\42ee7128dda33182f8b1cc8ba6b08ef470166074_0001764864 | Generic Write,Read Attributes |
| c:\users\user\downloads\479c97787d2e030fff7a562f74a66e69f05d7b38_0001764864 | Generic Write,Read Attributes |
| c:\users\user\downloads\55d131635b3d3bcf19db4a3a36c79956b3a87615_0001993046 | Generic Write,Read Attributes |
| c:\users\user\downloads\a6b7ab2f834891a7cfc20db477a92d9b8b27df69_0001764864 | Generic Write,Read Attributes |
| c:\users\user\downloads\cbb7e5ee9b0b056b35bbcf8f233b3cbac1e26fed_0001764864 | Generic Write,Read Attributes |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKLM\software\classes\ghost:: | Ghost image file | RegNtPreCreateKey |
| HKLM\software\classes\ghost\shell\open\command:: | c:\users\user\DOWNLO~1\D390C1~1 "%1" | RegNtPreCreateKey |
| HKLM\software\classes\.gho:: | Ghost | RegNtPreCreateKey |
| HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.200.31.10#amas::_labelfromdesktopini | RegNtPreCreateKey | |
| HKLM\software\classes\ghost\shell\open\command:: | c:\users\user\DOWNLO~1\CDBC30~1 "%1" | RegNtPreCreateKey |
| HKLM\software\classes\ghost:: | ????-????? Ghost | RegNtPreCreateKey |
| HKLM\software\classes\ghost\shell\open\command:: | c:\users\user\DOWNLO~1\F47707~1 "%1" | RegNtPreCreateKey |
| HKLM\software\classes\ghost\shell\open\command:: | c:\users\user\DOWNLO~1\EEA074~1 "%1" | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Anti Debug |
|
| Process Manipulation Evasion |
|
| Other Suspicious |
|
| Service Control |
|
| Keyboard Access |
|
