Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Malex.N

Trojan.Malex.N

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.Malex.N
Signature status: No Signature

Known Samples

MD5: 46054c872d3503fd40a312649e6a8acc
SHA1: 3b88ec7e09a68cbe188eee9d4221009b43ab01cf
SHA256: B82518F3B4319A4C0B60F7AD12AF314168826D99106F1161C12A194E85FFA275
File Size: 4.29 MB, 4285004 bytes
MD5: d2e2cffe143d5921ed5009b7953ea12d
SHA1: 4c2f0b13dabf490bd6811b2a6d642c329e023a6d
SHA256: 128231BEA2533DABD693ADAF9B92E483E21360890CCE27C8202965565FB4EFB4
File Size: 654.53 KB, 654528 bytes
MD5: dea5be7df2075ea970227b9288ff430d
SHA1: a18f29929cea477e3e216a6a3dc30ca51a9a70f6
SHA256: 359BCF22578A24FA99A0D0DFB7F7A60167043ADC5FA8628DFDEC7A20B82A631A
File Size: 6.31 MB, 6311997 bytes
MD5: 375cfa66bed6b6278309ce8c073a8c09
SHA1: 4c6b7f0d50f1a77d77c38dce270fcfdd0c04a250
SHA256: F48E2198D8AFB045981718A677676661D467F97356D20810C24A407B455F31DD
File Size: 6.53 MB, 6526427 bytes
MD5: bc0d53ebaf1fef35b8575f7cb99107ff
SHA1: 435f59bdb7d8a62b7562498387ad323b97df2555
SHA256: 4A1A973A2CA2D8BE04C3479FC6398FAA443767F5C632B1125467CB0C52FCCAB3
File Size: 4.84 MB, 4837486 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have relocations information
  • File doesn't have security information
  • File has exports table
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

File Traits

  • HighEntropy
  • Installer Manifest
  • No Version Info
  • RAR (In Overlay)
  • WRARSFX
  • x86

Block Information

Total Blocks: 843
Potentially Malicious Blocks: 1
Whitelisted Blocks: 842
Unknown Blocks: 0

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 1 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 2 1 1 0 0 0 0 0 0 0 0 1 1 1 0 1 0 1 0 1 0 0 1 0 0 0 2 0 0 1 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 0 0 0 0 1 0 0 0 0 0 0 0 0 2 3 0 1 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 1 0 0 1 0 1 0 0 2 2 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 1 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.XAE
  • HEUR.MSIL.Generic_274333
  • Malex.N
  • Wana Decrypt0r.A

Files Modified

File Attributes
c:\programdata\techsmith Synchronize,Write Attributes
c:\programdata\techsmith\snagit 12 Synchronize,Write Attributes
c:\programdata\techsmith\snagit 12\__tmp_rar_sfx_access_check_2709562 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\programdata\techsmith\snagit 12\reginfo.ini Generic Write,Read Attributes
c:\programdata\techsmith\snagit 12\reginfo.ini Synchronize,Write Attributes
c:\programdata\techsmith\snagit 12\reginfo.txt Generic Write,Read Attributes
c:\programdata\techsmith\snagit 12\reginfo.txt Synchronize,Write Attributes
c:\user Synchronize,Write Attributes
c:\user\dd Synchronize,Write Attributes
c:\user\dd\__tmp_rar_sfx_access_check_4108937 Generic Read,Write Data,Write Attributes,Write extended,Append data
Show More
c:\user\dd\objeto.exe Generic Write,Read Attributes
c:\user\dd\objeto.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0 Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\__tmp_rar_sfx_access_check_7478218 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\carsybde.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\carsybde.exe Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation
Keyboard Access
  • GetKeyState
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • ShellExecuteEx

Shell Command Execution

(NULL) C:\Users\Ksbelotg\AppData\Local\Temp\RarSFX0\CarsyBde.exe /VERYSILENT

Trending

Most Viewed

Loading...