Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.MSIL.Dropper.X

Trojan.MSIL.Dropper.X

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.MSIL.Dropper.X
Signature status: No Signature

Known Samples

MD5: df3362c56b3925e0eb83e0a10fb448c7
SHA1: 7b82a4de6af8f15994cfa1f179ebf5e0f302e503
File Size: 1.83 MB, 1828864 bytes
MD5: 2293ba92b5f60c7ada53cfe516cd4900
SHA1: 0e7cd32f31d23750a426927ec6ed800bc8c8c964
SHA256: 72E24C4E41765A688486BD1489BE22866B186E0061C34EEA45D700B13B7A59A3
File Size: 223.74 KB, 223744 bytes
MD5: 21922290b552ea257a11a6bbbea8081d
SHA1: eada8668c4d769d688440ba4e5bd0b77c36d109d
SHA256: 72616667D43FC8F2F592B6589F26032497CF037B047BAAC1B4F400FB7305170F
File Size: 5.44 MB, 5436928 bytes
MD5: 4d5db93eef709f27716fd38e033c3d49
SHA1: d8c32121485f9d2bb51c6775b6260df6bb889315
SHA256: 771C82A8BBD8D2A6DA2092DF2238940861195F60E2DC55AA3DC30249E15B5AB6
File Size: 484.86 KB, 484864 bytes
MD5: 54a1e9f39e687bbba572a48d06e72db0
SHA1: 906aca266b346bfeab6c6a3b062e67d1edaa16f8
SHA256: 6B3C2884D517804BA3BCBBF55B658CFCFC20A752EA1FF8CF6DB4D8E42EEA3ECD
File Size: 441.86 KB, 441856 bytes
Show More
MD5: 6f1eb197982bd665f091ba5b9a31f772
SHA1: 5ac9435e1e428be3efaf1307721b9b2912dde42d
SHA256: 511FF78EFB44AEECA6BB7F57390A4ECA30B376A95BFAAA43E4FB233C6A880C61
File Size: 65.02 KB, 65024 bytes
MD5: 5b33e8230d2919eae96cfe6e3c3d2844
SHA1: 7ca12591b5ce16a6871e443f88e6dcdd241872fe
SHA256: 61CE0172F9A2A10D5161B7A2D86BDA7801C641F37B2EEA29CD93A7526844EFBC
File Size: 179.71 KB, 179712 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have security information
  • File is .NET application
  • File is 32-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version
  • 2.7.45.95
  • 1.55.7.0
  • 1.1.3.11
  • 1.0.5364.24664
  • 1.0.0.0
Comments
  • Comando que Inserta el Objeto Alimentador
  • FHL-DB-Editor by myfhl.de
  • SX_DBase
Company Name
  • AHK
  • C.F.E
  • ghoulish
  • MyFHL-Editing
  • SX_DBase
File Description
  • AHK
  • Alimentador
  • FHL-DB-Editor
  • linkpowerful
  • NBYS_FWCheck
  • PDFViewer
  • SX_DBase
File Version
  • 2.7.45.95
  • 1.2.23.0
  • 1.1.3.13
  • 1.0.5364.24664
  • 1.0.0.0
Internal Name
  • Alimentador.dll
  • FHL-DB-Editor.exe
  • Library.dll
  • NBYS_FWCheck.exe
  • PDFView.dll
  • revo.uninstaller.pro.5.x.x-patch.exe
  • SX_DBase.dll
Legal Copyright
  • Copyright © 2009
  • Copyright © 2012
  • Copyright © 2022
  • Copyright © Bernd - http://myfhl.de
  • Copyright © C.F.E. 2009
  • pick © magnet
  • SX_DBase
Legal Trademarks SX_DBase
Original Filename
  • Alimentador.dll
  • FHL-DB-Editor.exe
  • Library.dll
  • NBYS_FWCheck.exe
  • PDFView.dll
  • revo.uninstaller.pro.5.x.x-patch.exe
  • SX_DBase.dll
Product Name
  • AHK
  • Alimentador
  • FHL-DB-Editor
  • NBYS_FWCheck
  • PDFViewer
  • pulse
  • SX_DBase
Product Version
  • 2.7.45.95
  • 1.2.23.0
  • 1.0.5364.24664
  • 1.0.0.0
  • 1.0.*

File Traits

  • .NET
  • .sdata
  • 2+ executable sections
  • dll
  • HighEntropy
  • Installer Version
  • NewLateBinding
  • Reactor
  • Reflective
  • RijndaelManaged
Show More
  • WriteProcessMemory
  • x86

Block Information

Total Blocks: 379
Potentially Malicious Blocks: 2
Whitelisted Blocks: 290
Unknown Blocks: 87

Visual Map

0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 ? ? 0 ? ? ? 0 ? 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? 0 ? ? 0 0 x 0 0 0 0 0 0 0 ? ? ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • MSIL.Agent.LOD
  • MSIL.Agent.REB
  • MSIL.Agent.XFB
  • MSIL.DllInject.Z
  • MSIL.Dropper.X
Show More
  • MSIL.Inject.ASA
  • MSIL.Krypt.DBA
  • MSIL.Krypt.DSJ
  • MSIL.Krypt.OFB
  • MSIL.Krypt.YOA
  • MSIL.Perseus.BD
  • MSIL.Ursu.TJG

Files Modified

File Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\users\user\appdata\local\temp\dup2patcher.dll Generic Write,Read Attributes
c:\users\user\appdata\roaming\revo.uninstaller.pro.5-patch.exe Generic Write,Read Attributes
c:\users\user\appdata\roaming\revo.uninstaller.pro.5.x.x-patch.exe Generic Write,Read Attributes
c:\windows\appcompat\programs\amcache.hve Read Data,Read Control,Write Data
c:\windows\appcompat\programs\amcache.hve Write Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAdjustPrivilegesToken
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
Show More
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeleteValueKey
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtLoadKeyEx
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtTraceEvent
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleDC
  • win32u.dll!NtGdiCreateDIBitmapInternal
  • win32u.dll!NtGdiCreateSolidBrush
  • win32u.dll!NtGdiDeleteObjectApp
  • win32u.dll!NtGdiExtGetObjectW
  • win32u.dll!NtGdiGetDCforBitmap
  • win32u.dll!NtGdiGetDCObject

39 additional items are not displayed above.

Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetUserObjectInformation
Other Suspicious
  • AdjustTokenPrivileges
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Process Shell Execute
  • CreateProcess

Shell Command Execution

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\dw20.exe dw20.exe -x -s 864
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\5ac9435e1e428be3efaf1307721b9b2912dde42d_0000065024.,LiQMAxHB

Trending

Most Viewed

Loading...