Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.MSIL.FakeMS.OA

Trojan.MSIL.FakeMS.OA

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.MSIL.FakeMS.OA
Signature status: No Signature

Known Samples

MD5: 94d34fabb9f408508068239b44a8d7b0
SHA1: bb1b1622e2ffea396d9600c69599d6d965b289a4
SHA256: 886265CDC392F1D23B68EE9E0B355F927084FF8AA4B75EA42A9CEB68AB604595
File Size: 24.06 KB, 24064 bytes
MD5: 2464795317bd8cd73ab4be6d967ec3c8
SHA1: 52d3a719ee7e74d6d0677d2ebdb4cec6848e6091
SHA256: BA6BD274E46F7B3A71932B8819E0D62643C30FB9FE279405A90246264B0552A6
File Size: 24.06 KB, 24064 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have security information
  • File is .NET application
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Traits

  • .NET
  • NewLateBinding
  • No Version Info
  • ntdll
  • x86

Block Information

Total Blocks: 28
Potentially Malicious Blocks: 25
Whitelisted Blocks: 3
Unknown Blocks: 0

Visual Map

x x x x x x 0 0 x x x x x x x x x x x x x x x 0 x x x x
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • MSIL.Bladabindi.A
  • MSIL.FakeMS.OA

Files Modified

File Attributes
c:\users\user\appdata\roaming\arma3 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\a7d4a2cf2ea79e6f72c68bd62dd0ca6b.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\a7d4a2cf2ea79e6f72c68bd62dd0ca6b.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\svhost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKCU::di ! RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
Show More
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKCU\environment::see_mask_nozonechecks 1 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 쏛弇䳗ǜ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::a7d4a2cf2ea79e6f72c68bd62dd0ca6b "C:\Users\Seanudjs\AppData\Roaming\svhost.exe" .. RegNtPreCreateKey

Windows API Usage

Category API
User Data Access
  • GetComputerName
  • GetUserObjectInformation
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
Process Manipulation Evasion
  • NtUnmapViewOfSection
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
Show More
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Network Winsock2
  • WSASocket
  • WSAStartup
  • WSAttemptAutodialName
Service Control
  • OpenSCManager
  • OpenService
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext
Process Terminate
  • TerminateProcess
Keyboard Access
  • GetAsyncKeyState
  • GetKeyState
Other Suspicious
  • AdjustTokenPrivileges
Network Winsock
  • closesocket
  • getaddrinfo
  • setsockopt

Shell Command Execution

(NULL) C:\Users\Rglxqaka\AppData\Roaming\arma3
(NULL) C:\Users\Seanudjs\AppData\Roaming\svhost.exe
netsh firewall add allowedprogram "C:\Users\Seanudjs\AppData\Roaming\svhost.exe" "svhost.exe" ENABLE

Trending

Most Viewed

Loading...