Trojan.Confuser

Trojan.Confuser is a threatening software capable of injecting into a system. Computer users that encounter Trojan.Confuser on their machines may see fake warnings claiming that their machines have been infected by a virus. Trojan.Confuser may change permission policies and also may modify the Windows Registry. In many cases, Trojan Confuser ends up being installed because the user doesn't realize it has a harmful intent. The distribution of this threat is likely related to false Windows updates, as well as to the installation of third-party programs made to view a Web page and videos, the download of third-party applications, clicking on banners and advertisements, as well as the download of attachments or files through social media.

Trojan.Confuser also may display warning messages describing corrupted Windows system files. The removal of such files may compromise the affected systems, or even crash them. Computer users should keep in mind that these scan results and the problems described in the pop-up messages are fake. Trojan.Confuser also may disable installed software on your PC, such as anti-virus application or even the Windows firewall. The browser settings also may be affected so that it may hide its presence in a system. Trojan.Confuser may show security alerts similar to the ones listed below:

"Warning: Your computer is infected
Detected spyware infection!
Click this message to install the last update of security software…"

Table of Contents

Toggle

SpyHunter Detects & Remove Trojan.Confuser

Analysis Report

General information

Family Name:	Trojan.Confuser
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: 9ebbe4f78a508707c98b11cb27ce3076 SHA1: c03873c249c2f0bf7fc945ad1e155ee7f2023378 File Size: 59.90 KB, 59904 bytes

MD5: 1622cf46a2d785684706a888f554cba4 SHA1: dc2268ff0e1884d53ea87bab46ea6b66c4e78350 SHA256: 1ED4A80F08E932ED21B1F3DE372286DDB93D76A7D4CF943A4C326EC80B56EA61 File Size: 2.21 MB, 2212864 bytes

MD5: 5dfae2b96d8bc6790c29ec2ac85afe99 SHA1: db05a87beb16572c793142c9bc5e42e8cc37b063 SHA256: DFCFDB44CD6A19CA1A215DEDD9B90962141D31369867983345E6550D2D750996 File Size: 6.89 MB, 6886400 bytes

MD5: ccc24fa5f1bbb814e0c2544a73f806c7 SHA1: 105f091d0b90576748f58e92e11692f197d79bc1 SHA256: 999B6EFD21046A473816F0059FD07ED6D902C85D4AEBD978E81F629E4DEAE259 File Size: 5.30 MB, 5298688 bytes

MD5: 109d2c10f99e618a8b368f7b68e0d747 SHA1: baccf9b1a60f48d08df01249a2d5b8db3f83345d SHA256: 7DBAAE7A1111F93CC22784ECAF5E7D187EC1B8AB6B5525BBFA0D6B3460A37582 File Size: 165.89 KB, 165888 bytes

Show More

MD5: dda653586f0f81afffba9daabe344b92 SHA1: 5d0b808bc05e3940341a5cefab00b0c6229ac483 SHA256: D6D095EA74CD76D710EAC508CA73858FB1994624E78EC7B182C40B5592B490FB File Size: 43.52 KB, 43520 bytes

MD5: 4e2d25aa502ee615e964aae0b9414d8e SHA1: e20c5c76eb738eab2c5d89c0bd1c597abb3ee961 SHA256: C0DD63A6A61C2A02365485B7E1065EDF477B0132AED0709D2BBC37BEA7B5D62E File Size: 571.39 KB, 571392 bytes

MD5: 24fad267137f2f094a4d62b367669b76 SHA1: 1b225ef76228362ef249638ef95e583fcad9457d SHA256: B5A720F4C814BE9B2C00D534913A850C3C14D07372E397B1FF849EF7BA55279E File Size: 58.88 KB, 58880 bytes

MD5: 974d622c5e3f25b491ea3dabbf6b7909 SHA1: bd6e5ffe363eab56ad959669b995ffa22544aca6 SHA256: 83DAC4C9836BD72D587849A8C1C5F99124094645618C98659AE061A41D6060F5 File Size: 956.93 KB, 956928 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have security information
• File is .NET application
• File is 32-bit executable
• File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
• File is either console or GUI application
• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
• File is not packed

Show More

• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

Windows PE Version Information

i

Windows PE Version Information

This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

Name	Value
Assembly Version	0.0.1.3 0.0.0.0
Comments	Paches AIM 6.0 to work with Phoenix
Company Name	MAXON Computer GmbH Wildman Productions
File Description	CINEMA 4D ® Phoenix6Patcher Setup
File Version	15, 0, 3, 7 0.0.1.3 0.0.0.0
Internal Name	CINEMA 4D ® crypted.exe Melter.A.exe Phoenix6Patcher.exe RDBM25.exe Setup.exe WerkZeugUebersicht.exe WrapperEnhancer1a.exe
Legal Copyright	Copyright © 1989-2013 Copyright © Wildman Productions 2020
Legal Trademarks	CINEMA 4D ®
Original Filename	CINEMA 4D.exe crypted.exe Melter.A.exe Phoenix6Patcher.exe RDBM25.exe Setup.exe WerkZeugUebersicht.exe WrapperEnhancer1a.exe
Product Name	CINEMA 4D ® Phoenix6Patcher
Product Version	15, 0, 3, 7 0.0.1.3 0.0.0.0

File Traits

• .NET
• 00 section
• 2+ executable sections
• Confuser
• Goliath
• HighEntropy
• Installer Version
• ntdll
• SmartAssembly
• x86

Show More

• Yano
• ZYXDN

Block Information

i

Block Information

During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

Total Blocks:	18
Potentially Malicious Blocks:	2
Whitelisted Blocks:	9
Unknown Blocks:	7

Visual Map

? 0 0 0 0 0 0 0 0 0 ? ? ? x x ? ? ?

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

i

Similar Families

This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.

• HEUR.MSIL.Generic_268209
• MSIL.Downloader.Agent.IUE
• MSIL.Downloader.Agent.LC
• MSIL.Injector.XC
• MSIL.Small.FG

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
c:\users\user\appdata\local\hulmoil\polmilh.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\db05a87beb16572c793142c9bc5e42e8cc37b063_0006886400	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\downloads\tempfile	Generic Write,Read Attributes

Registry Modifications

i

Registry Modifications

This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.

Key::Value	Data	API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\system\controlset001\services\eventlog\application\gewatec::eventmessagefile	C:\Windows\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll	RegNtPreCreateKey

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
Syscall Use	ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcConnectPortEx ntdll.dll!NtAlpcCreateSectionView ntdll.dll!NtAlpcQueryInformation ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtApphelpCacheControl ntdll.dll!NtAssociateWaitCompletionPacket ntdll.dll!NtCancelTimer2 ntdll.dll!NtCancelWaitCompletionPacket ntdll.dll!NtClearEvent Show More ntdll.dll!NtClose ntdll.dll!NtCompareSigningLevels ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateIoCompletion ntdll.dll!NtCreateMutant ntdll.dll!NtCreatePrivateNamespace ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtCreateTimer2 ntdll.dll!NtCreateWaitCompletionPacket ntdll.dll!NtCreateWorkerFactory ntdll.dll!NtDelayExecution ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFlushProcessWriteBuffers ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtGetCachedSigningLevel ntdll.dll!NtGetContextThread ntdll.dll!NtGetWriteWatch ntdll.dll!NtMapViewOfSection ntdll.dll!NtNotifyChangeKey ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenSection ntdll.dll!NtOpenThreadToken ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationJobObject ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQueryPortInformationProcess ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtReadFile ntdll.dll!NtReadRequestData ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtResetWriteWatch ntdll.dll!NtResumeThread ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationFile ntdll.dll!NtSetInformationKey ntdll.dll!NtSetInformationObject ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationThread ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSetTimer2 ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtSuspendThread ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtUnsubscribeWnfStateChange ntdll.dll!NtWaitForAlertByThreadId ntdll.dll!NtWaitForMultipleObjects ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWaitLowEventPair ntdll.dll!NtWorkerFactoryWorkerReady ntdll.dll!NtWriteFile ntdll.dll!NtWriteVirtualMemory ntdll.dll!NtYieldExecution UNKNOWN win32u.dll!NtUserGetKeyboardLayout win32u.dll!NtUserGetThreadState
User Data Access	GetComputerNameEx GetUserDefaultLocaleName GetUserObjectInformation
Encryption Used	BCryptOpenAlgorithmProvider CryptAcquireContext
Process Manipulation Evasion	NtUnmapViewOfSection
Process Shell Execute	CreateProcess ShellExecuteEx
Anti Debug	CheckRemoteDebuggerPresent IsDebuggerPresent NtQuerySystemInformation OutputDebugString
Other Suspicious	AdjustTokenPrivileges

Shell Command Execution

i

Shell Command Execution

This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.

c:\users\user\downloads\tempfile (NULL)

(NULL) C:\Users\Nfifkagk\AppData\Local\hulmoil\polmilh.exe