Trojan.MSIL.Agent.YDA
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.MSIL.Agent.YDA |
|---|---|
| Signature status: | Hash Mismatch |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
92ba3ca3fcb2894bb5122083cc33d943
SHA1:
104bdf01752eabff6a483996ce8a926edad37a47
SHA256:
EDF38F43D3B0287C23167290F93DCFC46C56503A45286D20DDDC1DBA18C6249A
File Size:
1.10 MB, 1100296 bytes
|
|
MD5:
b0d44dd5437f43cbb64bc877b7e77efc
SHA1:
ad182c435d1d4412efda243d70c133c4b19eef7b
SHA256:
4B9B10EB72B1BA0842F8DA34FFB897195208C70B7EAD3F913AB4561384A6AD7A
File Size:
869.78 KB, 869776 bytes
|
|
MD5:
cbcc67cad5160b1c68d75a8f0df23042
SHA1:
31ed68591d680d0d54b94d472f2a522a67668f28
SHA256:
A923400A63132221C40FE3810D2E8064DE2CA9FFCD3C67F261057137DD199F65
File Size:
1.17 MB, 1169208 bytes
|
|
MD5:
3270124f9cfd254b5eeccf1dd7497b1a
SHA1:
ed97c313edb844d6c4e56ed7c4c6c235bba9982e
SHA256:
DEE2583C0CD978F52387EB3683B0998385BB5BB855B44E3543CC22FD1B2B48F3
File Size:
1.12 MB, 1115928 bytes
|
|
MD5:
e3de275e1ae4cad3077b45d9c62cbf55
SHA1:
c694f839aafb41a08a7eccc8daddef888fd22a80
SHA256:
5F7BEB170526CAA91C912E343004DA331C99B31C25EF22A4A4D1865DE3C32CB6
File Size:
979.03 KB, 979032 bytes
|
Show More
|
MD5:
1fbe1ac1a1a689fc87334ff694b9d2d8
SHA1:
2e73a7e9e915f80648e7e5c81c45a9a0bdd1657d
SHA256:
13EC2E830249025DE694653222940D93B2D456D480E5ABBC643F959B6DD19EFC
File Size:
482.55 KB, 482552 bytes
|
|
MD5:
0f75d6f15509006af64de7247270a41b
SHA1:
7e1e43c4d76959af22055c841f18e45cf0aab6ff
SHA256:
BA932FC51CB2DE698B3247B0B667A589EC3CB7E3E74C590D19164FA55B205E79
File Size:
377.19 KB, 377192 bytes
|
|
MD5:
28c1b87f9785406edb63fda5ec553ca7
SHA1:
54201661dd93fef12740cd70e4399dbb2f0ab847
SHA256:
9B2FFF58D7B5455B8B1CC9F207BB0921956A6238566132951DC7B44380CE8331
File Size:
1.10 MB, 1102864 bytes
|
|
MD5:
c47a69667347ffd9fb280784aec911f4
SHA1:
3b3c6ba529b27e219f62521e3d714d2edd096f61
SHA256:
7432E4EF28169A6815D958F134111654DABE14B9A779B1F6195A9614600F4978
File Size:
992.27 KB, 992272 bytes
|
|
MD5:
1c110135a74d4f45d14b0efde0556a33
SHA1:
1b6a92a77ad62848454b806654d6030f99dcf238
SHA256:
19672BC56FA2B0B1E029D8642E693DCDBE9C20A3A37152BD09A4A1F85E08666E
File Size:
1.02 MB, 1015656 bytes
|
|
MD5:
6c1f4af7dd2f7405b5e83d6e251c6725
SHA1:
071ca15aa6e790f22098cb123cb8decec5da1051
SHA256:
C893B5BC68D6849C890065DAFA4AA74C66D2CFA55038F5B12BBA338366977AC5
File Size:
1.15 MB, 1151936 bytes
|
|
MD5:
0286b15a857bf0c66b4165abd0400c2e
SHA1:
01b22d54146b95006454a8bca2e29f4dd793f70a
SHA256:
3D4DCDB08EC585C717E6FBA6E0D588DFE104CEF17C273DB182BA2B3F06C21CAA
File Size:
1.03 MB, 1027032 bytes
|
|
MD5:
93e496f5ba1b516653118c1f084562a6
SHA1:
878bf3cecf9fc869fdd2cf1bde54aaca52f9e1f3
SHA256:
4FE4810F09A4B9FEA2E8F64180983452FEF3E5D7DB96DD99314AF802BAD56928
File Size:
1.12 MB, 1121144 bytes
|
|
MD5:
ddeb0545daf3834e445b4521087543aa
SHA1:
ce8386ad07fbed797904cd8d77282aa57b16e5e4
SHA256:
67922B346214B30FA17A551C8760668C05B6134EBBE2E95252BCC3D47DC000CB
File Size:
917.04 KB, 917040 bytes
|
|
MD5:
d696a7c77ee7f124504a0b9ded170801
SHA1:
452febd13750cb0f47c4671f58fadc4c2aa4a675
SHA256:
348BA9C58A325A94655593FCCAC4C1CD4C7B18F4407A3F5E89819D4D895672AD
File Size:
1.08 MB, 1076808 bytes
|
|
MD5:
50275a2374313949ad4861c1d2cfc5ee
SHA1:
cc9b68cbebf5fdd9e635e0b4460bea55813ce0c5
SHA256:
AB7115F8A072379466EC12EE6DD6989499B8F3F25B65CEF6937E8A3B56724120
File Size:
987.88 KB, 987880 bytes
|
|
MD5:
1f40ee6fe04cb2015fdeb7822f3581b4
SHA1:
6ba64f033d0445dfce793ac064825e1e4f494d22
SHA256:
DC7914A81E491D8D0A0D3479E6D9C20EB2BBC9C3E624C4364C6505114A2140C6
File Size:
1.18 MB, 1175672 bytes
|
|
MD5:
c536e664718a0ba5368d32d11ec98093
SHA1:
09e6c66b5a222fa0f90f7a89f509fe2899dc3cdf
SHA256:
DB94883F6A46BF01543D63812ED311B005993FE35442F1702FEF9304911E0B5B
File Size:
1.04 MB, 1042056 bytes
|
|
MD5:
8372d583c96b1c7533705094864e4aa6
SHA1:
8c90afb01441c8d1156d0c497f528197e8860249
SHA256:
D62B2EFD7DC79DC5659BC6F4B692C9B6AE13D396021D581187D98EC9673A2A58
File Size:
1.03 MB, 1034536 bytes
|
|
MD5:
9ef12d047d9a351300accdf8ef0992f6
SHA1:
f72663f6abc045e535435d5d23c7e140854faf3a
SHA256:
C7214C82384C8B521EF2EB27F8E6BEB8840224A64F6A58C1B5204C7F3340DD77
File Size:
911.76 KB, 911760 bytes
|
|
MD5:
7a8fa9d49e55f63fb52681b50d699f46
SHA1:
bc62894d784398dfc0b52c9d14db80a0a89b1c46
SHA256:
BC605796D17A4BD100123306E7B93E541BC712BC9D70CEC418D136D632E2294F
File Size:
1.12 MB, 1115432 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File is .NET application
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Show More
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Assembly Version |
Show More
|
| Company Name |
Show More
|
| File Description |
Show More
|
| File Version |
Show More
|
| Internal Name |
|
| Legal Copyright |
Show More
|
| Legal Trademarks |
Show More
|
| Original Filename |
Show More
|
| Product Name |
Show More
|
| Product Version |
Show More
|
| Public Name |
Show More
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Adobe Systems Incorporated | DigiCert EV Code Signing CA (SHA2) | Hash Mismatch |
| Discord Inc. | DigiCert EV Code Signing CA (SHA2) | Hash Mismatch |
| Zoom Video Communications, Inc. | DigiCert EV Code Signing CA (SHA2) | Hash Mismatch |
| Adobe Inc. | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Hash Mismatch |
| Broadcom Inc | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Hash Mismatch |
Show More
| PANDORATV Co.,Ltd | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Hash Mismatch |
| Roblox Corporation | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Hash Mismatch |
| BitTorrent Inc | DigiCert Trusted Root G4 | Hash Mismatch |
| PANDORATV Co.,Ltd | DigiCert Trusted Root G4 | Hash Mismatch |
| VENTOBYTE SL | GlobalSign | Hash Mismatch |
| Ashampoo GmbH & Co. KG | GlobalSign Code Signing Root R45 | Hash Mismatch |
| KLAUNCHER LLC | GlobalSign Code Signing Root R45 | Hash Mismatch |
| win.rar GmbH | GlobalSign CodeSigning CA - SHA256 - G3 | Hash Mismatch |
| McAfee, LLC | GlobalSign GCC R45 EV CodeSigning CA 2020 | Hash Mismatch |
| Microsoft Corporation | Microsoft Code Signing PCA 2011 | Hash Mismatch |
| Skype Software Sarl | Microsoft Code Signing PCA 2011 | Hash Mismatch |
| Adobe Systems, Incorporated | Symantec Class 3 Extended Validation Code Signing CA | Hash Mismatch |
| Apple Inc. | Symantec Class 3 SHA256 Code Signing CA | Hash Mismatch |
File Traits
- .NET
- HighEntropy
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 169 |
|---|---|
| Potentially Malicious Blocks: | 5 |
| Whitelisted Blocks: | 11 |
| Unknown Blocks: | 153 |
Visual Map
?
0
0
0
?
?
?
0
0
0
0
0
0
0
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
x
?
?
?
?
?
?
?
?
?
?
?
?
?
x
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
x
?
x
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
x
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- MSIL.Agent.YDA
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\namedpipe | Generic Read,Write Attributes |
| \device\namedpipe | Generic Write,Read Attributes |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
| User Data Access |
|
| Anti Debug |
|
| Other Suspicious |
|
| Process Shell Execute |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
"schtasks" /create /f /tn "7e1e43c4d76959af22055c841f18e45cf0aab6ff_0000377192_Admin" /tr "c:\users\user\downloads\7e1e43c4d76959af22055c841f18e45cf0aab6ff_0000377192" /sc onlogon /rl highest
|
