Trojan.Krypt.KBAE

By CagedTech in Trojans

Table of Contents

Analysis Report

General information

Family Name:	Trojan.Krypt.KBAE
Signature status:	No Signature

Known Samples

MD5: 5c59416158608163aa4270619dbc34b2

SHA1: 5e4eef8dd436171651060c31b6cf32bae86e239c

SHA256: EBE3C618A48F86778313F1A1C805828E75A8EBFA4757DFD22E1FDF9238DDC4DF

File Size: 8.74 MB, 8744005 bytes

MD5: ff6cabe0a00fc853f2d889075700d537

SHA1: 3dc43069497a5a219703e9547a6d5663ab66ce58

SHA256: A540D143D272BD54084C9356B7C3474C0341F1ABF997FD3829CD2741ABEBDB0E

File Size: 2.56 MB, 2558840 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have resources
File doesn't have security information
File has exports table
File has TLS information
File is 32-bit executable
File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)

File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Comments	This installation was built with Inno Setup.
File Description	User Account Control Panel Host Setup
Product Name	User Account Control Panel Host
Product Version	10.0.19041.746

File Traits

big overlay
dll
HighEntropy
ntdll
WriteProcessMemory
x86

Files Modified

File	Attributes
c:\users\user\appdata\local\temp\is-nvr02.tmp\3dc43069497a5a219703e9547a6d5663ab66ce58_0002558840.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-og6s0.tmp\_isetup\_setup64.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-og6s0.tmp\_isetup\_shfoldr.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value	Data	API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475	㵚ȁ獖}	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey

Windows API Usage

Category	API
Syscall Use	ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtClose ntdll.dll!NtCreateFile ntdll.dll!NtCreateSection ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenProcessToken ntdll.dll!NtQueryAttributesFile Show More ntdll.dll!NtQueryDebugFilterState ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationToken ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtReadFile ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationFile ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWriteFile
Process Shell Execute	CreateProcess ShellExecute
Anti Debug	NtQuerySystemInformation
Process Manipulation Evasion	NtUnmapViewOfSection

Shell Command Execution


							C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\5e4eef8dd436171651060c31b6cf32bae86e239c_0008744005.,LiQMAxHB


							"C:\Users\Wgidmnmx\AppData\Local\Temp\is-NVR02.tmp\3dc43069497a5a219703e9547a6d5663ab66ce58_0002558840.tmp" /SL5="$40390,2140910,174080,c:\users\user\downloads\3dc43069497a5a219703e9547a6d5663ab66ce58_0002558840"


							(NULL) c:\users\user\downloads\3dc43069497a5a219703e9547a6d5663ab66ce58_0002558840 /VERYSILENT

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

Trojan.Krypt.KBAE

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

File Traits

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

Turtle Vote Rewards

Guardbox

EnybenyCrypt Ransomware

Most Viewed

How To Fix 'Printer Driver is Unavailable' Error

Discord Is Stuck on Gray Screen

Discord Shows Black Screen when Sharing Screen