Trojan.MSIL.Agent.IAC
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.MSIL.Agent.IAC |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
dba1166d103f2908ee03bed6e245a5b4
SHA1:
8501a9368041c09401e66a21a495b7f5ce9215f7
SHA256:
5183DC1BA9F210B7E8991C234F008D676DB457B2D273480A7771DA114AF569B5
File Size:
2.93 MB, 2926881 bytes
|
|
MD5:
0a6699331bcdeda5483ca13bc102a3af
SHA1:
7932266007680352bd569b147ef9f4d7fb27e399
SHA256:
04DB041A08841FEB7C42B5B7C62CF33793F992A27F5465B9BC98E8A4AAEAD09F
File Size:
196.13 KB, 196128 bytes
|
|
MD5:
444c21729858b4d37aac36eb9598de7f
SHA1:
390ac83a495800c5d0ff6af610c9bb9bb27bb8a2
SHA256:
7819CEFA8D1E056AAB001703BBE11A6106A34FD75BBE1FB507EC6E7D43C85B78
File Size:
2.93 MB, 2926840 bytes
|
|
MD5:
a262c5499f299152ab5b09274a932d8b
SHA1:
3815bcdcfb5ff56768c1e7f328f3743cbaca3632
SHA256:
B98D2DA5292AA463CD530478909C7F1D1963AC2E6524A0DE097B56D535DCE963
File Size:
1.58 MB, 1581600 bytes
|
|
MD5:
4c32a7fa7be3f451c91268cfc3b0b3c2
SHA1:
cb3b1cbc0bc21b0f1195efbe46d7c1d2c9b87b52
SHA256:
A14313337370B4B6E789CB23C5C767D04ADCE5973B0D9C3BF13210E75BAF1AD4
File Size:
536.58 KB, 536576 bytes
|
Show More
|
MD5:
b55ff58e34d3be2d0249abeb713c2916
SHA1:
405fe2a6b499b9219be9124674709b0e631b0a39
SHA256:
F3C89F5D6415A89CF4C90C1EFA006BAA265F6DFD5250EB02028CF08579E11EBB
File Size:
52.22 KB, 52224 bytes
|
|
MD5:
9354249fa99c85c1bd91be6068d29c2b
SHA1:
b23ef628f62896f613acc48e8ac85562b6b39f8d
SHA256:
C3123260EA70F560F9662B7B39444ACD7AA6BE4650464111814FC1D05CE23DB6
File Size:
5.67 MB, 5671127 bytes
|
|
MD5:
927148507cde6b2634f9fe4221248002
SHA1:
b2bca28d1941a39b3ab452d6fff236ee65209c67
SHA256:
A22A9B1C922A1ABDAD659540A559EB28DECE249A03A21C00D54D9EB52AFB60D6
File Size:
2.93 MB, 2926895 bytes
|
|
MD5:
2642a92b74e71fe979d1459a711de71a
SHA1:
a8029384283e869a62295452801cdc8ff8e0fa7d
SHA256:
1A5EDB34F750B8877E74B4DED0AD5D826ACEC1A8B1D0903237062015E4E8D8A1
File Size:
857.12 KB, 857120 bytes
|
|
MD5:
67b6107e965a64a1102125d55d970826
SHA1:
78bd3f2998c4a475d4c6518c89fe068e1a7c3874
SHA256:
1EA4D941F3BB699AC4B7DFCED27E31DDCD68C907AC1EA2C26AE2F0BE13777038
File Size:
5.02 MB, 5022208 bytes
|
|
MD5:
56750fffd6bd41f6810fb97dff58fa53
SHA1:
3aaf811ee55cd2e4a8b74aa9dae42f3f87bb3f11
SHA256:
4382E427DAC78948FA973035320DDE5BFCB58CB835DDA3932E5F41C593BFF9FD
File Size:
1.58 MB, 1575456 bytes
|
|
MD5:
7e6ba3a03c32b66dae8194c79ef41dd8
SHA1:
b3f17499097ee8dbf1cf74b55996a69fc15b22d1
SHA256:
FFA6A3F4BF9A26BB056D964174A1ED58D9DD608108169F8B2BF9F97E1162572A
File Size:
3.23 MB, 3229696 bytes
|
|
MD5:
8c73cad2180515eec02223ac4fecfb58
SHA1:
193b0e5f03225f00b2fdf776a89dedf454aa4fa9
SHA256:
8468ED427E45CD4AD870292670C07700F9746DF86BC8D15A79ADDE2BD13DE1E5
File Size:
3.13 MB, 3131392 bytes
|
|
MD5:
e8ebcba25093e478c032a7f90e52e244
SHA1:
f2a313ff8836f5a0faaedfbc226a4fe4020a05e2
SHA256:
9B1A5FF9EC94F8540ECC5C7D31E2EC8E536E209D00BEBCCE3732414168E9D7A0
File Size:
2.93 MB, 2926896 bytes
|
|
MD5:
5f55703b5c4c5189db549dafccf948be
SHA1:
faecffd2c7c82916bef6b8c033c1b13e888aa997
SHA256:
A4C5B7E2193458EBE9B1781D612D385D571A4D4A9D5039BF40B8D926E82B04FD
File Size:
2.93 MB, 2926693 bytes
|
|
MD5:
242808b2aec42418ead324e123ea4b2d
SHA1:
002d3cbab6538af620874c3ec160a9649c275762
SHA256:
DCF1474E97360EAC3A7E37FFB6FB56856C2F870CA6E9CAFFFAD7B0D48400327D
File Size:
2.93 MB, 2926745 bytes
|
|
MD5:
0e2614b752a06f0e58cdd7246ae07ca6
SHA1:
ad9607b95d8ab3e0afbf157d98c9963fe7001d68
SHA256:
BF98543473C76AF5BA232597034E4D897B9BE0BF4811F4AA98AB529F388575B4
File Size:
3.69 MB, 3687456 bytes
|
|
MD5:
55f4d7aa801aa0303ee3d2f6d0e65832
SHA1:
63ac890e69cd9d507e29c54a17426a33bea9ea0f
SHA256:
824CCD87570F348A425A4950A526DD8E8A7769AA8618EF68B0F2B94A5C39FCA4
File Size:
530.43 KB, 530432 bytes
|
|
MD5:
6bb5c6e65666c31e83167f4439d215a1
SHA1:
0554ccdd2b8ddcee6374c52b335af111f44c875f
SHA256:
7255498750055667CD9C32222E0D626953E2CDCCAF22DC9C0047E8A8E3327B08
File Size:
2.93 MB, 2926806 bytes
|
|
MD5:
1ed783669fb1623ce8256e1c46f702d5
SHA1:
8e349da08fb6b95fd609a2497970532ca08d6b21
SHA256:
9EDEA229D7FE59B31978785BEFE3726AAB6FE9923C82C7326F4AA78DE68AF86F
File Size:
2.93 MB, 2926660 bytes
|
|
MD5:
f9db5389c6acdb3ae9d6b214744cd48d
SHA1:
5d439843d280f7c65967d748025df8e549e9eed3
SHA256:
4F961F4BB326334E71EB550B3BD427CD5D2A36B7CBCBE6C2E80AB7D39B3F4361
File Size:
1.55 MB, 1550880 bytes
|
|
MD5:
134ac3ea7027186a9df4f4793b17d1e2
SHA1:
14e4ce380580d6f688b1337779cd6e65ad4f6c64
SHA256:
7251C926F493E8613FC7CB8B4F027F82A3D1E8E5ED6BDC2BC39A612264B98FC3
File Size:
1.56 MB, 1563136 bytes
|
|
MD5:
7fa2a561a220af46a3a21ba0e3153a3f
SHA1:
6d8e62cbfb97e11dfafb4cdbacf200bfa03962f3
SHA256:
FB5830D7683CD175E169A17A509E73F76F4EEE4AB026D6C052E94DF4050869B8
File Size:
2.93 MB, 2926846 bytes
|
|
MD5:
9ea2604a4e4c73656abdfafda530545f
SHA1:
73b89f1f67d92251981ac832885c0ef316f6cc18
SHA256:
1A55CD4C0FE1650ADA6C044801E7D710296308C7CBEBF6ED5F68695DA37AA0C2
File Size:
2.07 MB, 2065920 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File is .NET application
- File is 32-bit executable
- File is 64-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
Show More
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Assembly Version |
|
| Comments |
|
| Company Name |
|
| File Description |
|
| File Version |
|
| Internal Name |
Show More
|
| Legal Copyright |
|
| Legal Trademarks | BejoIjo Corporation |
| Original Filename |
Show More
|
| Product Name |
Show More
|
| Product Version |
|
File Traits
- .NET
- 00 section
- 2+ executable sections
- Agile.net
- dll
- Fody
- Goliath
- HighEntropy
- NewLateBinding
- ntdll
Show More
- WriteProcessMemory
- x64
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 2,296 |
|---|---|
| Potentially Malicious Blocks: | 1,388 |
| Whitelisted Blocks: | 161 |
| Unknown Blocks: | 747 |
Visual Map
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
?
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
?
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
?
?
?
?
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
?
?
?
?
0
0
0
?
?
?
?
0
?
x
x
x
0
0
x
x
?
?
?
?
?
?
?
?
?
x
x
x
x
x
x
x
x
x
x
x
x
x
?
?
0
0
0
?
0
?
?
?
0
0
?
?
?
?
?
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
?
x
x
x
x
x
x
x
x
x
0
?
?
?
?
?
?
?
?
?
0
?
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
?
x
x
x
x
x
x
x
x
?
x
x
x
x
x
x
x
x
x
?
?
0
?
x
x
x
0
?
0
?
x
x
x
x
x
x
?
?
x
x
x
x
?
x
x
0
0
?
x
?
0
?
?
0
?
?
?
0
?
0
?
?
?
x
?
?
?
?
?
0
?
?
?
?
?
?
?
x
?
?
x
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
?
?
0
?
?
?
?
?
?
?
?
?
?
?
0
0
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
0
x
?
?
?
?
x
0
?
0
?
?
?
?
0
?
?
?
0
x
?
?
?
?
?
?
?
?
0
?
0
?
0
?
?
?
?
?
x
?
?
?
?
?
?
?
?
0
?
?
?
x
?
?
?
?
?
?
0
?
?
?
x
?
?
?
?
?
?
?
0
?
?
?
x
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
x
?
?
?
?
?
?
?
0
?
?
?
x
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
x
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
x
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
0
?
?
?
x
?
?
?
?
?
?
?
0
?
?
?
x
?
?
?
?
?
?
?
?
?
0
?
?
?
x
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
x
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
x
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
x
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
x
?
?
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
0
?
?
?
?
0
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
0
0
0
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
0
x
?
0
x
?
?
x
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- MSIL.Agent.IAC
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\namedpipe\gmdasllogger | Generic Write,Read Attributes |
| c:\users\user\downloads\commando.exe | Generic Write,Read Attributes |
| c:\users\user\downloads\commando.exe | Synchronize,Write Attributes |
| c:\windows\appcompat\programs\amcache.hve | Read Data,Read Control,Write Data |
| c:\windows\appcompat\programs\amcache.hve | Write Attributes |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKLM\system\software\microsoft\tip\aggregateresults::data | 隞̃錁耀꧌��g | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Other Suspicious |
|
| User Data Access |
|
| Anti Debug |
|
| Encryption Used |
|
| Syscall Use |
Show More
8 additional items are not displayed above. |
| Process Manipulation Evasion |
|
| Process Shell Execute |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\dw20.exe dw20.exe -x -s 752
|
