Trojan.Krypt.KBAD
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Krypt.KBAD |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
1bd20755071be0a3c03cf774bb8b73d8
SHA1:
bf4d0b71d9593b2a6d1359f87c3a22bf16c07de9
File Size:
1.82 MB, 1822180 bytes
|
|
MD5:
2ed3f3e58b3012c8852b1bed8c4257ec
SHA1:
a096830380c467cffbf9a80a9a1194368577e0f3
SHA256:
44B6E17AF2DAABEC4C36E6F0233452513E7916D6D7A7991B31E5C4122B7A5735
File Size:
2.08 MB, 2078720 bytes
|
|
MD5:
7d52c6ce3692cb2b8dd95953864fe69a
SHA1:
1e383232fdc5bc1f07a041e8f491b3f4b1327224
SHA256:
8146B23BCE7CA5B14CB9CB8C1D28F3FBD3A8E74434727E0482383D2D23919D60
File Size:
2.88 MB, 2875392 bytes
|
|
MD5:
fdf61cce189fd553e586ac762ec4fc59
SHA1:
e8ad8de52491373cafa96ff85d8e8e932eb6c6e8
SHA256:
979688B4D671393E5EF2C79C91C3E6521781C6E9B07964BA5AA81590A3F06A1B
File Size:
6.33 MB, 6334628 bytes
|
|
MD5:
44c823e560cb950e2a625a26dcf787bc
SHA1:
b24cc7da377e7aef904ef62ff9d909a2e1488869
SHA256:
B5FFA41C75433700417BB357B0568B11BD3AB9C32E323F63BF56147ADF9A5F96
File Size:
2.09 MB, 2085787 bytes
|
Show More
|
MD5:
2cddcf6a1751d22b6a7067ed9ec58395
SHA1:
21f1f8dfd86a9c669d2ddf8c9a0a998278546d50
SHA256:
EC1817D02E1AE6671D5C5F48AF0ADB03DD211560AB41CD92A4ECE4C60B124249
File Size:
1.79 MB, 1787392 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have resources
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 32-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
- File is Native application (NOT .NET application)
Show More
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Traits
- big overlay
- dll
- HighEntropy
- ntdll
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 7,680 |
|---|---|
| Potentially Malicious Blocks: | 2,724 |
| Whitelisted Blocks: | 4,956 |
| Unknown Blocks: | 0 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
0
x
0
x
x
x
0
0
0
x
x
0
0
0
0
0
0
0
0
x
0
x
x
0
0
x
0
x
0
0
0
x
0
x
0
0
x
x
x
x
0
x
x
0
0
0
0
x
x
x
x
0
0
x
x
x
x
x
x
x
0
0
x
0
x
x
x
0
0
x
x
x
x
x
x
x
x
0
0
0
0
x
0
x
0
x
0
0
0
x
x
0
x
x
x
0
x
x
0
0
x
x
0
x
0
0
0
x
0
x
0
0
x
0
0
0
0
x
0
x
0
x
0
x
x
x
x
x
0
0
0
0
x
x
x
x
0
x
0
0
x
x
x
x
0
x
x
x
x
0
0
x
x
0
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
0
x
x
0
x
0
0
x
x
0
0
0
0
0
0
0
0
0
0
x
0
x
x
0
0
0
0
x
x
x
0
0
x
0
x
x
x
x
0
0
x
x
x
x
0
x
x
0
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
0
x
x
x
x
x
x
0
x
x
x
x
x
0
x
x
x
0
x
0
0
x
x
0
0
x
x
x
0
0
x
x
0
x
0
x
x
0
x
x
x
x
x
x
x
0
x
x
x
x
x
x
0
x
x
x
x
0
0
x
x
0
x
x
x
0
0
0
0
x
0
x
0
x
x
0
x
0
x
0
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
0
0
x
0
x
x
x
0
0
x
x
0
x
0
x
x
x
0
0
x
0
0
0
0
0
0
x
0
x
x
0
x
x
x
x
x
0
x
0
x
0
x
0
x
x
x
0
0
0
x
x
0
0
0
x
x
x
x
0
0
0
0
0
x
x
0
0
x
x
x
0
x
0
0
0
x
x
x
x
x
x
0
x
x
x
x
x
0
x
x
x
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
0
x
0
0
x
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Danabot.RA
- Kryptik.KBDA
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
| Process Shell Execute |
|
| Anti Debug |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\bf4d0b71d9593b2a6d1359f87c3a22bf16c07de9_0001822180.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\a096830380c467cffbf9a80a9a1194368577e0f3_0002078720.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\1e383232fdc5bc1f07a041e8f491b3f4b1327224_0002875392.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\e8ad8de52491373cafa96ff85d8e8e932eb6c6e8_0006334628.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\b24cc7da377e7aef904ef62ff9d909a2e1488869_0002085787.,LiQMAxHB
|
Show More
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\21f1f8dfd86a9c669d2ddf8c9a0a998278546d50_0001787392.,LiQMAxHB
|
