Trojan.Keylogger.QB
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Keylogger.QB |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
fbeb93e7e112b5ae328952973852985e
SHA1:
4e9565c7bf82907924c301a0999aa2cdd8c1ec3e
SHA256:
C2BD9108626C1874733E2063DE6F11E3AE18309A187F52D8F18DD4E67F93574C
File Size:
420.35 KB, 420352 bytes
|
|
MD5:
8ea74839fafe1c2e2b59905e39c83c5a
SHA1:
2bf8ecf74de8b40f4e3cbac4a9c3053f628b17b3
SHA256:
8926E72584C563FF22194262E16B62EFEBBA23818B4EF47992E58C4686C1A51E
File Size:
123.90 KB, 123904 bytes
|
|
MD5:
a0bb8cf4fe4bb733c23b81a20dc282b4
SHA1:
880e265c2ebe3911ccbeb1124fe8f33f18b816c9
SHA256:
84704A9DDEB27C02AC3E49412DFCB422114D6D5E4FCF0CD9CEEBCCEAC6B5BD50
File Size:
3.46 MB, 3459072 bytes
|
|
MD5:
102397625842a07fa41faa71ae0f2c48
SHA1:
1f2f77d204610be6860dc9381a082434c1a7c7ec
SHA256:
34E8E2626CBB382AAAAABB4FA1263AEE91DB49D896940D224B2C6D58608B7FF0
File Size:
3.50 MB, 3501568 bytes
|
|
MD5:
1ca29f32c02f847a6a2ce55775f92a8e
SHA1:
e98c84e034dbddb83dc9f6f2b56bd8332b9445e1
SHA256:
F607C51E418A43318045BE784BE9F311F77625931CC6AE17F39FB6C698CBEE2E
File Size:
980.48 KB, 980480 bytes
|
Show More
|
MD5:
14eff2cb5ff9a4de21152fe1be9badb3
SHA1:
2235439b0b3a26ad5b04bd10fd5e3d0f8d31eaa2
SHA256:
0DAB4FBF472666501B49BC5501B8056CB9BA3256CF1CE2E7A9D49E924DEB482A
File Size:
115.20 KB, 115200 bytes
|
|
MD5:
2c23b6334344d248fb8f7785440f049f
SHA1:
01da01cca993afb921de1ced0cffeb6449c7f098
SHA256:
2988826D74A2B0B35627D47A33D868CA479D486C1940EC49F846E33B1065B291
File Size:
103.42 KB, 103424 bytes
|
|
MD5:
26735dc6ebff44db1f3c194abe7784db
SHA1:
c8231480a8227575a0e79462fa4bee77f4bfdb26
SHA256:
9E243A559CB2C0EB8E2A7043C8F997E14F45E2FB5B828EF3E1610C24C6949D8D
File Size:
166.91 KB, 166912 bytes
|
|
MD5:
396f6db060077f845888af6298a915ca
SHA1:
462a08983144afa7aedd49ee4d48bf1618919c4a
SHA256:
E65FE14BAF2BF4C90E1AF23133302976ED69E72A33BDDF25294BA5944E56E854
File Size:
348.67 KB, 348672 bytes
|
|
MD5:
4d2d88905ec9c2ebb5e2652f1cc845f8
SHA1:
d7e209c443fdd296e075081a8ce85ffb2ae4fff7
SHA256:
7D88AB8E889CC2C039A75042092D4EDAED32C943564C7FA4EFA9482B7A91FDD6
File Size:
267.26 KB, 267264 bytes
|
|
MD5:
480d128a56e0746ee7d7b66026463853
SHA1:
d2f575c1019d3843c4193a71c4bac752c8a513f3
SHA256:
FD76A51E52B4E53E9B504BA0D1D23B51618477648244577E815087A6CB7EA1D8
File Size:
310.78 KB, 310784 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have exports table
- File doesn't have security information
- File has TLS information
- File is 32-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
Show More
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name |
|
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| Original Filename |
|
| Product Name |
|
| Product Version |
|
File Traits
- 2+ executable sections
- Discord
- fptable
- GetConsoleWindow
- JMC
- No Version Info
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 1,069 |
|---|---|
| Potentially Malicious Blocks: | 26 |
| Whitelisted Blocks: | 925 |
| Unknown Blocks: | 118 |
Visual Map
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
?
?
?
?
0
0
0
0
0
0
?
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
?
0
?
0
?
?
0
0
?
0
0
?
?
x
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
x
x
0
0
0
x
0
0
0
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
x
?
?
0
0
0
0
0
0
0
0
0
0
?
x
x
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
?
?
0
0
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
?
?
?
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
?
0
0
?
0
?
?
0
0
0
0
0
0
0
0
?
0
?
?
?
?
0
?
?
?
?
?
?
0
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
0
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
?
0
0
0
0
x
0
0
0
0
?
?
?
?
?
x
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.FDTA
- Agent.FDTB
- Injector.DFD
- Keylogger.QB
- KillMBR.XB
Show More
- Lumma.DB
- Lumma.DC
- Lumma.DD
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\namedpipe\pshost.134024420981280189.5740.defaultappdomain.powershell | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_e52wlien.ylw.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_stkdo5v0.21p.ps1 | Generic Write,Read Attributes |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKCU\software\microsoft\windows\currentversion\run::kerneldriverupneser | c:\users\user\downloads\880e265c2ebe3911ccbeb1124fe8f33f18b816c9_0003459072 | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Network Wininet |
|
| Process Shell Execute |
|
| Syscall Use |
Show More
|
| Anti Debug |
|
| User Data Access |
|
| Encryption Used |
|
| Other Suspicious |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
powershell.exe -Command "Set-ExecutionPolicy Bypass -Scope Process -Force
|
