Trojan.Downloader.Small.G

By CagedTech in Trojans

Threat Scorecard

Popularity Rank:	19,414
Threat Level:	80 % (High)
Infected Computers:	63

First Seen:	July 24, 2009
Last Seen:	March 10, 2026
OS(es) Affected:	Windows

Table of Contents

Aliases

15 security vendors flagged this file as malicious.

Antivirus Vendor	Detection
TrendMicro	TROJ_DLOADE.FC
Sophos	Mal/Emogen-Y
Prevx1	High Risk Cloaked Malware
Panda	Trj/Downloader.MDW
McAfee-GW-Edition	Trojan.Spy.Gen
McAfee	Generic BackDoor!i
Ikarus	Trojan-Downloader.Win32.Small
Fortinet	W32/Small.HWH!tr.bdr
F-Secure	Backdoor.Win32.Small.hwh
eSafe	Win32.TRSpy
Comodo	Backdoor.Win32.Small.~ZZH
CAT-QuickHeal	Backdoor.Small.hwh
BitDefender	Generic.Malware.Fdld!!.74743761
AVG	BackDoor.Generic11.INQ
Avast	Win32:Spyware-gen

Analysis Report

General information

Family Name:	Trojan.Downloader.Small.G
Signature status:	No Signature

Known Samples

MD5: 583bffe0588d3a7ef2ae8d8f1e7f942d

SHA1: 4b0ddddf4dda4801b9312d836b6ae17fcce1ebc8

File Size: 32.26 KB, 32256 bytes

MD5: d17ec67702e1b0e87dc38e9b3ded5b65

SHA1: 0cc03592b4c65148a54090aff07a82e15646680b

File Size: 41.98 KB, 41984 bytes

MD5: de2f3fde23edd9fd0cce4f6638ba9b59

SHA1: edf923080b9514dbfa82dd6054ba27461d040933

SHA256: 22BD70AA16FD7AF4DD48C72F7B92FED19D4E4FC6F32642EA8C6C00E21FA2732C

File Size: 4.86 MB, 4859904 bytes

MD5: 152cb84edfe2c1ec8b114668d0ac0bdb

SHA1: 3b711cb1d8a37abbf89a3bd37d7a82ad709a068b

SHA256: 9CFED14A41DFE278AFE963C6EFC0E4DFC1DDC9DC5EB264B4D3B70561803AA7EB

File Size: 32.77 KB, 32768 bytes

MD5: 1317a4466d36d63af9dca13c3d2a5d0e

SHA1: 1b236db4448136f8a112de6557e469e48ef960d1

SHA256: 3BFDF6916F38D53DF53282E4E371643C612EA127A10B8876393CE16ECC91B16B

File Size: 3.00 MB, 2995200 bytes

MD5: 6cf57a585d5ffb6467f440f529908082

SHA1: d8a854558d13beb04a9d22c4d94279be4587082e

SHA256: 286A6EB6467CFDC3188BB068BAD15EF1C5B75BDB9D36D315FE2AF60D6F5B4970

File Size: 32.77 KB, 32768 bytes

MD5: a1b41697e182341e019a7d2062e527a2

SHA1: 316600b9685413462be91193fcd90e8deac4a7e8

SHA256: 9E8D2A9F5283D809492BF2C0BC971A2776659C2DF67D23723FC7521D8A5498DB

File Size: 32.77 KB, 32768 bytes

MD5: a2ce6fe5cdc0657bd41afb9cdd7f8a83

SHA1: 04204113fb070fe019c0d703cbd0089dc13811a7

SHA256: 0E0CDADCE7382A7541B993EF3A56F9130C1EFC33E8B62CFED6661AAC27B304F7

File Size: 31.74 KB, 31744 bytes

MD5: 262caef570a96a4816cd5884dc3f3906

SHA1: 962705ab63b362995ff29ed05fb98c2d59d8c122

SHA256: F7EB789A84D398E5BF55375C46A49A915662C04248BEF0BCF70181918FCE56FF

File Size: 2.64 MB, 2644992 bytes

MD5: ce762328d41330a6aab7a8431ee8b33a

SHA1: 1fce187d703066287e9845c8b66ca2647b1ee8b0

SHA256: 98101CA103D3C1A7EDCEE54E54ACCDB6CB1AE8FCA729562039B1CFF4C4FD8473

File Size: 31.74 KB, 31744 bytes

MD5: 159b797a4cec09fe8e53060d3a04458b

SHA1: ac18aaa6fdd87566b5955715bf15c1b77aee9795

SHA256: D6B20F4DAFA34302FA24492217135BBD29F4CA36D7019C011BD1851573EFDE7F

File Size: 31.23 KB, 31232 bytes

MD5: 769491ad724e5ab293b33bddce53d7e0

SHA1: 31813704f0c036d6be59e0f14a4a7758876dd9d4

SHA256: CBD6D9BFCC4BD21570A48E82A6891FA9271E4FA8247A285B4BF6AF1BE2FE6049

File Size: 31.74 KB, 31744 bytes

MD5: bcfb588391bed9c1f1b0839884b37bc9

SHA1: 56d537510b1a4e305f98669f3c7d7c3a39d6c7d0

SHA256: 7A6473082E6F45D4949835214A6F14E343C5224DA8ED7400DD44A6840A7F17FA

File Size: 32.77 KB, 32768 bytes

MD5: f0514c626e97010bc24d02da58e71dc0

SHA1: 03f89000ee777a29db46f1120836864130d9b12d

SHA256: AB7B9731EE0C98E3EA0A13BDB65B1CB0F651E4E0D5FB8C45CE3A5BE966FB0B1A

File Size: 41.98 KB, 41984 bytes

MD5: 20fc71355f901a925e72ee7e5a37bf49

SHA1: c3be71999be52f1216ded72de04a3ddfd8a411ed

SHA256: E2F55F45D78DF93AE7E01BCED9953DE4D5D48530DC26A795388DDA292CCDF8AF

File Size: 33.28 KB, 33280 bytes

MD5: dfce7816559907bd6706b01a1fb26f57

SHA1: 5b16272f28b077cbf598017cbfb00ad2ee3032c8

SHA256: 1B213A2C0C92828D10D1F5879B97B8A2927EE9FAE2D0D9BC170FF6DED7087E24

File Size: 2.28 MB, 2283008 bytes

MD5: 132911758b0f20f3a273941c4d9820d1

SHA1: e23cee9d4a69940de34b66e1ff617601ddba3b98

SHA256: E844015F01123F740C8BC614EBB60FCB0DD77ADCC5DCFE81EFEE1AC2321D4982

File Size: 33.28 KB, 33280 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have resources
File doesn't have security information
File is 64-bit executable
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)

File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Company Name	Google Inc. Whatspam
File Description	Google Chrome Whatspam
File Title	chrome.exe Setup.exe
File Version	70,0,3538,110 2,2,9,0
Legal Copyright	Copyright 2017 Google Inc. All rights reserved. Copyright Â© 2023 Whatspam
Product Name	Google Chrome Whatspam
Product Version	70,0,3538,110 2,2,9,0

File Traits

HighEntropy
Installer Version
No Version Info
x64

Block Information

Total Blocks:	17
Potentially Malicious Blocks:	11
Whitelisted Blocks:	6
Unknown Blocks:	0

Visual Map

x x x x x x 0 0 0 0 0 x x x 0 x x

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

Downloader.Small.G

Files Modified

File	Attributes
\device\namedpipe	Generic Read,Write Attributes
\device\namedpipe	Generic Write,Read Attributes
\device\namedpipe\pshost.133999280705687604.892.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\__psscriptpolicytest_1kseerkh.xuq.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_audgpb3x.lse.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_bqrhnl5i.x4u.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_thax1kqq.5z0.ps1	Generic Write,Read Attributes

Registry Modifications

Key::Value	Data	API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	墽ੰǛ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	உ앝ྡྷǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	弼왶ྡྷǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	弼왶ྡྷǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	럁꾩他ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	⚃䃟囈ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	䂙妿ǜ	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey

HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	鏡䆃妿ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	埇䆈妿ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	鮯㎺兤ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	⦈䏶彟ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	❹犮惠ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	뮒玄惠ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	᷉率惠ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ࡖ杧豿ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	⩤밬颶ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	巼鮿꟝ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	饍ꤺǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	凉뉈스ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	燕닋스ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ﰀ닔스ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	돎ᣨ켋ǜ	RegNtPreCreateKey

Windows API Usage

Category	API
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAccessCheckByType ntdll.dll!NtAddAtomEx ntdll.dll!NtAdjustPrivilegesToken ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAllocateLocallyUniqueId ntdll.dll!NtAlpcAcceptConnectPort ntdll.dll!NtAlpcConnectPort ntdll.dll!NtAlpcConnectPortEx ntdll.dll!NtAlpcCreatePort Show More ntdll.dll!NtAlpcCreatePortSection ntdll.dll!NtAlpcCreateResourceReserve ntdll.dll!NtAlpcCreateSectionView ntdll.dll!NtAlpcCreateSecurityContext ntdll.dll!NtAlpcDeleteSecurityContext ntdll.dll!NtAlpcQueryInformation ntdll.dll!NtAlpcQueryInformationMessage ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtAlpcSetInformation ntdll.dll!NtApphelpCacheControl ntdll.dll!NtAssociateWaitCompletionPacket ntdll.dll!NtCancelIoFileEx ntdll.dll!NtCancelTimer2 ntdll.dll!NtCancelWaitCompletionPacket ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtCompareSigningLevels ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateIoCompletion ntdll.dll!NtCreateKey ntdll.dll!NtCreateMutant ntdll.dll!NtCreateNamedPipeFile ntdll.dll!NtCreatePrivateNamespace ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtCreateTimer ntdll.dll!NtCreateTimer2 ntdll.dll!NtCreateUserProcess ntdll.dll!NtCreateWaitCompletionPacket ntdll.dll!NtCreateWorkerFactory ntdll.dll!NtDelayExecution ntdll.dll!NtDeleteValueKey ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFlushProcessWriteBuffers ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtFsControlFile ntdll.dll!NtGetCachedSigningLevel ntdll.dll!NtGetContextThread ntdll.dll!NtImpersonateAnonymousToken ntdll.dll!NtMapViewOfSection ntdll.dll!NtNotifyChangeKey ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenSymbolicLinkObject ntdll.dll!NtOpenThread ntdll.dll!NtOpenThreadToken ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFile ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryEvent ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationJobObject ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryObject ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySymbolicLinkObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtQueueApcThreadEx2 ntdll.dll!NtReadFile ntdll.dll!NtReadVirtualMemory 71 additional items are not displayed above.
Process Shell Execute	CreateProcess WriteConsole
Encryption Used	BCryptOpenAlgorithmProvider
Anti Debug	IsDebuggerPresent NtQuerySystemInformation
User Data Access	GetUserDefaultLocaleName GetUserName GetUserNameEx GetUserObjectInformation
Other Suspicious	AdjustTokenPrivileges
Process Manipulation Evasion	NtUnmapViewOfSection
Process Terminate	TerminateProcess

Shell Command Execution


							C:\WINDOWS\System32\conhost.exe "C:\WINDOWS\System32\conhost.exe" "/sihost64"


							C:\WINDOWS\System32\conhost.exe "C:\WINDOWS\System32\conhost.exe" "sphfxnixujcupoi"


							C:\WINDOWS\System32\conhost.exe "C:\WINDOWS\System32\conhost.exe" "c:\users\user\downloads\edf923080b9514dbfa82dd6054ba27461d040933_0004859904"


							C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell  -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"


							C:\WINDOWS\System32\conhost.exe "C:\WINDOWS\System32\conhost.exe" ""


									C:\WINDOWS\system32\schtasks.exe schtasks  /delete /f /tn "RuntimeBroker"


									WriteConsole: Access is denied


									C:\WINDOWS\System32\conhost.exe "C:\WINDOWS\System32\conhost.exe" "c:\users\user\downloads\962705ab63b362995ff29ed05fb98c2d59d8c122_0002644992"


									C:\WINDOWS\system32\schtasks.exe schtasks  /delete /f /tn "services64"


									C:\WINDOWS\System32\conhost.exe "C:\WINDOWS\System32\conhost.exe" "figngyavggkxqy"


									C:\WINDOWS\System32\conhost.exe "C:\WINDOWS\System32\conhost.exe" "c:\users\user\downloads\5b16272f28b077cbf598017cbfb00ad2ee3032c8_0002283008"


									C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell  -Command "Add-MpPreference -ExclusionPath @(($pwd).path

Trojan.Downloader.Small.G

Threat Scorecard

EnigmaSoft Threat Scorecard

Aliases

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

File Traits

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Related Posts

Trending

Most Viewed