Threat Database Trojans Trojan.Diztakun.F

Trojan.Diztakun.F

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 11,363
Threat Level: 80 % (High)
Infected Computers: 477
First Seen: September 22, 2021
Last Seen: December 21, 2025
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.Diztakun.F
Signature status: No Signature

Known Samples

MD5: 1f89d2bae569a5e8b8187aa37c29f726
SHA1: 5b5e1fec09b581db5b36bd6389faa582b98db438
SHA256: D69EDD193A85DE611A094E0F6BA3EA786741BA4F796891C7FBD1EC1E8885A716
File Size: 240.13 KB, 240128 bytes
MD5: fb66ec6d18a7fb904ec9b1731396b2fa
SHA1: b6f788a60a0c4b6ac22b0f29a10ed1a7e44a476b
SHA256: 96F5CDBB81B57E993BC729523F8F3B0146A68B5EF72CC27C31C3AC001B4EED25
File Size: 248.83 KB, 248832 bytes
MD5: 1ffa9d833ddf93923882202d32fa83cd
SHA1: da2dd2d84bb4dc23410f8c775365beaca6298106
SHA256: 3F9F5472B1B8AB4E34424C48AC4853D422FBB9D2840B2973A04F4F832B4B45A0
File Size: 47.62 KB, 47616 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have security information
  • File has TLS information
  • File is 32-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is Native application (NOT .NET application)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name 晨曦科技
File Version 0. 0. 0. 0
Product Version 0.0.0.0

File Traits

  • 2+ executable sections
  • No Version Info
  • x86

Block Information

Total Blocks: 220
Potentially Malicious Blocks: 7
Whitelisted Blocks: 213
Unknown Blocks: 0

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 x x 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Danabot.AD
  • Delf.OD
  • Diztakun.F

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\0iruetas.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\4vmdeskd.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\8blde47m.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_wi4roqr5.1iy.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_xja41ks4.nas.psm1 Generic Write,Read Attributes
c:\users\user\downloads\hwid.txt Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\wow6432node\microsoft\cryptography\oid\encodingtype 0\cryptdllfindoidinfo\1.3.6.1.4.1.311.60.3.1!7::name szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\cryptography\oid\encodingtype 0\cryptdllfindoidinfo\1.3.6.1.4.1.311.60.3.2!7::name szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\cryptography\oid\encodingtype 0\cryptdllfindoidinfo\1.3.6.1.4.1.311.60.3.3!7::name szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL RegNtPreCreateKey

Windows API Usage

Category API
Process Shell Execute
  • CreateProcess
User Data Access
  • GetComputerName
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
Other Suspicious
  • AdjustTokenPrivileges
Encryption Used
  • BCryptOpenAlgorithmProvider
Anti Debug
  • NtQuerySystemInformation

Shell Command Execution

cmd.exe /c ""C:\Users\Eqegkfen\AppData\Local\Temp\8BLDE47M.bat" "c:\users\user\downloads\5b5e1fec09b581db5b36bd6389faa582b98db438_0000240128""
C:\WINDOWS\system32\chcp.com chcp 1256
C:\WINDOWS\system32\certutil.exe certutil -hashfile "c:\Users\user\downloads\5b5e1fec09b581db5b36bd6389faa582b98db438_0000240128" SHA256
C:\WINDOWS\system32\findstr.exe findstr /v "hash"
C:\WINDOWS\system32\tasklist.exe tasklist
Show More
C:\WINDOWS\system32\findstr.exe findstr /i "fiddler dnspy processhacker wireshark ollydbg x64dbg ida x32dbg cheatengine cheatengine-x86 cheatengine-x64"
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /S /D /c" echo "
C:\WINDOWS\system32\findstr.exe findstr /i "Virtual VBox VMware QEMU Hyper"
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /S /D /c" cd "
C:\WINDOWS\system32\findstr.exe findstr /i "temp downloads sandbox"
cmd.exe /c ""C:\Users\Rmtnhpyc\AppData\Local\Temp\0IRUETAS.bat" "c:\users\user\downloads\b6f788a60a0c4b6ac22b0f29a10ed1a7e44a476b_0000248832""
C:\WINDOWS\System32\taskkill.exe C:\WINDOWS\System32\taskkill /f /t /im "DongleServer.exe"
C:\WINDOWS\System32\taskkill.exe C:\WINDOWS\System32\taskkill /f /t /im "DentalDesktopServer.NTService.exe"
C:\WINDOWS\System32\sc.exe C:\WINDOWS\System32\sc config DentalUpdater start=auto
C:\WINDOWS\System32\sc.exe C:\WINDOWS\System32\sc config ThreeShapeDentalManagerService start=auto
C:\WINDOWS\System32\sc.exe C:\WINDOWS\System32\sc config DongleServerService start=auto
C:\WINDOWS\System32\sc.exe C:\WINDOWS\System32\sc config DentalDesktopServer start=auto
C:\WINDOWS\System32\net.exe C:\WINDOWS\System32\net start DongleServerService
C:\WINDOWS\System32\net.exe C:\WINDOWS\System32\net start ThreeShapeDentalManagerService
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Get-Clipboard"
cmd.exe /c ""C:\Users\Eboyjhqh\AppData\Local\Temp\4VMDESKD.bat" "c:\users\user\downloads\da2dd2d84bb4dc23410f8c775365beaca6298106_0000047616""
C:\WINDOWS\system32\reg.exe reg query HKLM\hardware\devicemap\SERIALCOMM /v \Device\LG*ANDNETMDM*
C:\WINDOWS\system32\find.exe find "REG_SZ"

Trending

Most Viewed

Loading...