Trojan.MSIL.Downloader.KFB

By CagedTech in Trojans

Table of Contents

Analysis Report

General information

Family Name:	Trojan.MSIL.Downloader.KFB
Signature status:	No Signature

Known Samples

MD5: 98a5287e7191381e754324195c89e47e

SHA1: 5c6d73fde4a622e5d82dec6530d22f93dabeaafa

SHA256: FD836A9934E5BE2E5B950F9943E09F6EE344318D4F10D78F4E6146B6585F3EE1

File Size: 18.71 KB, 18712 bytes

MD5: 7af9f7564d6c1ecd336d583979e9a14f

SHA1: 2e8af3b3557156e243e68d122db7b353b0915ab1

SHA256: 3807F58440FABF0E05841A72AE27A3141E1A317B27484C4EF345B7CA78738B8B

File Size: 1.44 MB, 1441280 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have security information
File is .NET application
File is 32-bit executable
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)

IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

Windows PE Version Information

Name	Value
Assembly Version	1.0.5398.17759 1.0.535.19708
File Description	hostVnc vnckriptus
File Version	1.0.2878.29135 1.0.1052.5298
Internal Name	hostVnc.exe vnckriptus.exe
Legal Copyright	Copyright © 2010 Copyright © 2022
Original Filename	hostVnc.exe vnckriptus.exe
Product Name	hostVnc vnckriptus
Product Version	1.0.2878.29135 1.0.1052.5298

Digital Signatures

Signer	Root	Status
Telegram FZ-LLC	GlobalSign GCC R45 EV CodeSigning CA 2020	Hash Mismatch

File Traits

.NET
HighEntropy
x86

Block Information

Total Blocks:	71
Potentially Malicious Blocks:	3
Whitelisted Blocks:	56
Unknown Blocks:	12

Visual Map

x x ? ? ? x 0 ? 0 ? ? ? ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

MSIL.Downloader.KFB

Files Modified

File	Attributes
c:\users\user\appdata\roaming\current.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\current.vbs	Generic Write,Read Attributes

Registry Modifications

Key::Value	Data	API Name
HKLM\software\wow6432node\microsoft\tracing::enableconsoletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enablefiletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableautofiletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableconsoletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filetracingmask		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::consoletracingmask		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::maxfilesize		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filedirectory	%windir%\tracing	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enablefiletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableautofiletracing		RegNtPreCreateKey

HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableconsoletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filetracingmask		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::consoletracingmask		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::maxfilesize		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filedirectory	%windir%\tracing	RegNtPreCreateKey

Windows API Usage

Category	API
User Data Access	GetComputerName GetUserDefaultLocaleName GetUserObjectInformation
Anti Debug	NtQuerySystemInformation
Other Suspicious	AdjustTokenPrivileges
Network Winsock2	WSAConnect WSASocket WSAStartup WSAttemptAutodialName
Network Winsock	closesocket freeaddrinfo getaddrinfo recv send setsockopt
Network Winhttp	WinHttpOpen
Network Info Queried	GetAdaptersAddresses GetNetworkParams
Encryption Used	BCryptOpenAlgorithmProvider CryptAcquireContext

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

Trojan.MSIL.Downloader.KFB

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

Windows PE Version Information

Windows PE Version Information

Digital Signatures

Digital Signatures

File Traits

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Submit Comment

Trending

GoldenEagle

Downloader.Parshell

Boot-upintenselyadvancedtheproduct.vip

Most Viewed

How To Fix 'Printer Driver is Unavailable' Error

Discord Is Stuck on Gray Screen

Discord Shows Black Screen when Sharing Screen