Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Agent.OFTD

Trojan.Agent.OFTD

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.Agent.OFTD
Signature status: No Signature

Known Samples

MD5: a447c85a3d6ac46dfeb5b892ec351bbb
SHA1: 192fa2bf6c3f90826921731bc573eeb9b8bc6a81
SHA256: EE3EE59A6A17F96C1B3B16C949F1698AFB251FC6E2745B3337CB04786E5AFCFB
File Size: 919.04 KB, 919040 bytes
MD5: 950ea1bb99968b0bb20d6cde7164edc0
SHA1: 8671d1c17818902193876b5bc53be5b1eec5d0d4
SHA256: BCAB297C71E115324C8DE9973FCE550718404EDCA44CC9721724D77723E20B76
File Size: 2.39 MB, 2389043 bytes
MD5: cbb2693343f0ee8b6a60349e655b44be
SHA1: 9f0fb1dbadfb7a121f205174d242d11120854617
SHA256: 82523048DA2617D68DF83103D000C9D70940BB45105B5CF3D1B028DCA96D5899
File Size: 2.69 MB, 2688284 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have resources
  • File doesn't have security information
  • File has TLS information
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is Native application (NOT .NET application)
Show More
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name DiagNasty
File Description Ford IDS Patcher
File Version 1.1.0.0
Internal Name .exe
Original Filename .exe
Product Name Ford IDS Patcher
Product Version 1.1.0.0

File Traits

  • big overlay
  • HighEntropy
  • No Version Info
  • WriteProcessMemory
  • x64

Block Information

Total Blocks: 3,903
Potentially Malicious Blocks: 696
Whitelisted Blocks: 3,023
Unknown Blocks: 184

Visual Map

0 0 0 ? ? ? ? ? 0 ? ? ? 0 0 ? ? ? x 0 ? ? ? ? ? 0 ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 ? 0 0 0 0 0 0 0 0 ? 0 ? 0 0 0 0 ? 0 ? 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 x 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? x ? ? x 0 x 0 0 0 0 0 0 0 x 0 ? 0 ? 0 0 ? ? 0 ? ? 0 0 0 0 0 0 ? ? 0 0 0 0 ? ? 0 0 0 x 0 x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 x x x x 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 x x x 0 x 0 x x x x 0 0 x x 0 0 x x x x 0 0 0 0 0 x 0 x 0 0 0 x 0 0 0 x x 0 0 0 0 0 x x x 0 0 0 x 0 0 0 x 0 0 0 x x 0 0 0 x 0 0 x x 0 0 0 0 0 0 0 0 0 x x 0 0 x x x 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 ? 0 ? 0 0 ? ? 0 ? ? 0 0 0 0 0 0 ? ? 0 0 0 ? ? 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 x x 0 0 0 ? 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x ? 0 0 ? x ? x 0 x x ? x ? 0 ? ? 0 x 0 0 0 x x ? 0 0 ? x ? x 0 x x ? x x 0 ? x 0 ? ? 0 x 0 0 0 x 0 x x 0 0 0 0 ? 0 x 0 x x 0 0 0 0 ? 0 0 0 x 0 0 x 0 x x 0 0 0 0 ? 0 x 0 x x 0 0 0 0 ? 0 0 0 x 0 0 0 0 0 x x ? 0 x 0 ? 0 x 0 0 0 0 x x x 0 x 0 x 0 x 0 x 0 x x 0 x 0 x x x 0 0 0 0 0 0 0 0 1 x x x 0 ? 0 0 x x 0 0 0 ? 0 0 x x 0 0 ? 0 x 0 ? 0 x 0 x 0 ? 0 ? 0 x 0 ? 0 x 0 x 0 ? 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x ? 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 x 0 ? 0 x 0 x 0 ? 0 ? 0 x 0 ? 0 x 0 x 0 ? 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 x x x x x x x 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 x x x x x x x x 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x x ? 0 0 ? x ? x 0 x x ? x ? 0 ? ? 0 x 0 0 0 x x ? 0 0 ? x ? x 0 x x ? x 0 0 ? 0 0 ? ? 0 x 0 0 0 x 0 x x 0 x 0 0 x 0 0 0 0 0 0 0 0 x 0 x x 0 0 0 x ? 0 x 0 x x 0 0 0 x ? 0 0 0 x x 0 x 0 x x 0 0 0 x ? 0 x 0 x x 0 0 0 x ? 0 0 0 x x 0 0 0 0 x x ? 0 x 0 ? 0 x 0 0 0 0 x x ? 0 x 0 ? 0 x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 x 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 x x x x 0 0 x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 x x 0 x 0 x 0 x 0 x 0 x 0 x 0 x 0 x 0 x 0 x 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 ? x 0 x 0 x 0 0 0 x 0 x 0 0 0 0 x 0 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 0 0 x 0 x 0 x x 0 0 x 0 0 x 0 x 0 x 0 x 0 x 0 0 x x 0 x 0 0 x 0 x 0 x 0 x 0 x 0 x x 0 x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 x 0 0 x 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 x x x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 x 0 0 ? ? ? 0 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 x x x x 0 x x 0 1 0 0 0 0 0 0 0 0 1 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Disabler.X

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ꓙ䦐ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 玄ῥ鏎ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
Show More
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTerminateProcess
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetThreadState
Other Suspicious
  • SetWindowsHookEx
Process Manipulation Evasion
  • NtUnmapViewOfSection

Trending

Most Viewed

Loading...