Trojan.Agent.Gen.BFU
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Agent.Gen.BFU |
|---|---|
| Signature status: | Self Signed |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
3d05a258d959cd2dfb7d563b0832d450
SHA1:
5f7ab26eaeac3f592be6df60b6818d643e2f380f
SHA256:
44D3F87A6F9DB7CCAF3351B780003CF037D0E0812AAEA02344AAB5BD60D802C3
File Size:
248.32 KB, 248320 bytes
|
|
MD5:
d989f9bf3ac9328b1bc8fe0c304f868d
SHA1:
d5d3b9664575adeff849f0529802a45d167ae029
SHA256:
174C7AAC21AF4D20555A0E489BD824E823893F1961C0824998BF011D494085E2
File Size:
255.41 KB, 255408 bytes
|
|
MD5:
802860f6e42af5d56e973fd32f0a7438
SHA1:
548d78dfd386ae9c7ccebb4e725d94c1f963e381
SHA256:
19B9E7B4EEEEB710615FD5793047F6737756CF56B3C6375D573664FFEACAC694
File Size:
255.44 KB, 255440 bytes
|
|
MD5:
b027dd58602777dc7c60803113bcac06
SHA1:
57afc0e6902693086356405d02bb974745ef02f0
SHA256:
3667927752C68053635AE6F85BFF116851A0CC4E0393DAD9DB388FB7CD4F9A9A
File Size:
255.42 KB, 255424 bytes
|
|
MD5:
edb01010ae80ac867d7efe7077db3bbf
SHA1:
6c93d116fee4ba5dbdd0c85bf50dff78cfdebca2
SHA256:
DCBFFBF636B79143AD34BF928FC833C1CADD29DAD5794773D1AE122AEC6D04BF
File Size:
255.42 KB, 255416 bytes
|
Show More
|
MD5:
5bcaf4b54d77c8ba59c506e418b8630a
SHA1:
9228fc26dcf9470a7d38b45da25eb90dd713ccfe
SHA256:
5871283E0A4508990EC6C657F26F601D830ED8765C67B44AE64B72869A23A7BF
File Size:
255.40 KB, 255400 bytes
|
|
MD5:
591a1870c366b677629e7e8bd12963a0
SHA1:
ddbd803119c36a42be252db3b13c492b8a4d8469
SHA256:
20BD8DF3E41E74C15565D4E005C7DE3537BF722A48C81FD184237C4F89C74EAE
File Size:
255.42 KB, 255424 bytes
|
|
MD5:
ccbb93e02b37678755f1371cb20aad77
SHA1:
e0076b86c78f3b8d4925560c98b89874d5e3bccb
SHA256:
F5BD120A72E0B9D24426B053E7244254C87BB7F98A1467B72AC7988E28CA553A
File Size:
255.42 KB, 255416 bytes
|
|
MD5:
9246b4431897f8cac167f2df8da82e57
SHA1:
34c51cc36caab2930bc37ed070683fe26ffdde18
SHA256:
740CAE3A06CB37393359872A4E83D4486BD008794AAA68E71CC68EE671CF2337
File Size:
255.41 KB, 255408 bytes
|
|
MD5:
0fbee042c1fb9dab86abeb8e847cc292
SHA1:
ac7c0cdf743586d4f4fe6458049fd2b45ba69f9e
SHA256:
339CFF5819CC7D2D0889C402D0255118BF45A66707D1CD879A4258C01FB36BC2
File Size:
358.87 KB, 358872 bytes
|
|
MD5:
61856a1376866dcc7340a808b2f1c6eb
SHA1:
1fb2c3e7c3ebe37bbe6350cb486bcb909409d468
SHA256:
58E19F3B2989C13294E2F15E6B482E4CEC35FA8B50A0AA1F5768DCCDB8F9EB56
File Size:
356.82 KB, 356824 bytes
|
|
MD5:
5197426948a17d4d986e2b22860aec0c
SHA1:
083fe8d4c52bbfe7e2366d433ccc127e67f9deda
SHA256:
F2260F6855F6B345FAD8403F7FAB5466E615CFE61ED741E3EACB14A4DDF89C31
File Size:
403.93 KB, 403928 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 64-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name |
|
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| Original Filename |
|
| Product Name |
|
| Product Version |
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| ASUSTeK Computer Inc. | ASUSTeK Computer Inc. | Self Signed |
| CPUID | CPUID | Self Signed |
| Google LLC | Google LLC | Self Signed |
| HandBrake Team | HandBrake Team | Self Signed |
| Logitech | Logitech | Self Signed |
Show More
| Microsoft Corporation | Microsoft Corporation | Self Signed |
| NVIDIA Corporation | NVIDIA Corporation | Self Signed |
| Razer Inc. | Razer Inc. | Self Signed |
| paint.net | paint.net | Self Signed |
File Traits
- dll
- HighEntropy
- ntdll
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 912 |
|---|---|
| Potentially Malicious Blocks: | 49 |
| Whitelisted Blocks: | 863 |
| Unknown Blocks: | 0 |
Visual Map
0
0
0
0
x
x
0
0
0
0
x
x
0
x
x
x
x
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
x
0
x
x
x
x
x
x
0
x
x
0
x
x
x
x
x
x
x
0
0
x
0
0
x
0
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
x
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
x
x
x
x
x
x
x
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.OV
- Trojan.Agent.Gen.BFU
- Trojan.Agent.Gen.BNJ
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
