Trojan.MSIL.Krypt.ABTRA

By CagedTech in Trojans

Table of Contents

Analysis Report

General information

Family Name:	Trojan.MSIL.Krypt.ABTRA
Signature status:	No Signature

Known Samples

MD5: 99b875dbc0d8a8aefa3bc69f3662b0c8

SHA1: ca323e97b5ed08a3211b8f85c337b5d729fc7976

SHA256: 77EE14672FE1AA2C78F0279BC3E5352E75C57F4AF8856AE65FCFD3B24ECBC0E9

File Size: 586.24 KB, 586240 bytes

MD5: f9f822963f4b2be81c5cbf840e32a130

SHA1: a75f5493ba503e57401faca89ee518f2751e4006

SHA256: 8851C8A17927376A75DA5CE9E384EA2B0C7F3A6926F9CD7DF75DF6DBE2092E2B

File Size: 700.93 KB, 700928 bytes

MD5: 9365a9db7180ddb5d888575fe5cef15c

SHA1: 1936ecec505707b594e495fac827751edb224a4c

SHA256: 71D7AA50B2871567A23FA50A5D7D62E460C361A6644E74579AC93A8ED8E92AA8

File Size: 586.24 KB, 586240 bytes

MD5: e36ae29791d3b4fd2ffe442b4bbddfe2

SHA1: ae8bcd96082b7afddf54516357653e3af0ca7ce7

SHA256: 602D5C38320B020A7608DD6BBB672D80284D3B34E1B799B284DF6ECB28DE93FD

File Size: 586.24 KB, 586240 bytes

MD5: 1cdbef961cb6aeb497083a2f80bb2e67

SHA1: 6259a95d12f081eebfb07c82b412279ea7676360

SHA256: 2E3726CFE4FAA95D2A007D102286AB4EC3DA9368E13AA5CF66E2AF314183CE24

File Size: 461.31 KB, 461312 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have security information
File is .NET application
File is 32-bit executable
File is 64-bit executable
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)

File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

Windows PE Version Information

Name	Value
Assembly Version	1.0.0.0
File Version	1.0.0.0
Internal Name	Buddmvxej.exe Hwqvxb.exe Kiakqflpt.exe Rrgjkzhpg.exe Sixugincqc.exe
Original Filename	Buddmvxej.exe Hwqvxb.exe Kiakqflpt.exe Rrgjkzhpg.exe Sixugincqc.exe
Product Version	1.0.0.0

File Traits

.NET
GenKrypt
HighEntropy
x64
x86

Block Information

Total Blocks:	59
Potentially Malicious Blocks:	8
Whitelisted Blocks:	21
Unknown Blocks:	30

Visual Map

x x x 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 ? 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 ? ? ? x ? x ? 0 ? x ? x x ? 0 ? ? ? 0 ?

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

MSIL.Stealer.CCA

Files Modified

File	Attributes
\device\namedpipe\pshost.134024963541239267.5996.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
c:\users\user\appdata\local\temp\__psscriptpolicytest_1orllzdo.uqk.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_5jrjsdt0.4m5.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_brpkucas.iif.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_nlxtnc0w.dx0.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\app_store.exe	Generic Write,Read Attributes

Registry Modifications

Key::Value	Data	API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey

Windows API Usage

Category	API
User Data Access	GetUserDefaultLocaleName GetUserName GetUserNameEx GetUserObjectInformation
Encryption Used	BCryptOpenAlgorithmProvider
Anti Debug	IsDebuggerPresent NtQuerySystemInformation
Other Suspicious	AdjustTokenPrivileges
Process Shell Execute	CreateProcess
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcConnectPortEx ntdll.dll!NtAlpcQueryInformation ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtApphelpCacheControl ntdll.dll!NtAssociateWaitCompletionPacket ntdll.dll!NtCancelTimer2 ntdll.dll!NtCancelWaitCompletionPacket ntdll.dll!NtClearEvent Show More ntdll.dll!NtClose ntdll.dll!NtCompareSigningLevels ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateIoCompletion ntdll.dll!NtCreateMutant ntdll.dll!NtCreatePrivateNamespace ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtCreateTimer2 ntdll.dll!NtCreateWaitCompletionPacket ntdll.dll!NtCreateWorkerFactory ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFlushProcessWriteBuffers ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtGetCachedSigningLevel ntdll.dll!NtGetContextThread ntdll.dll!NtMapViewOfSection ntdll.dll!NtNotifyChangeKey ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenThreadToken ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationJobObject ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtReadFile ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtResumeThread ntdll.dll!NtSetContextThread ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationKey ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationThread ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSetTimer2 ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtSuspendThread ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtUnsubscribeWnfStateChange ntdll.dll!NtWaitForAlertByThreadId ntdll.dll!NtWaitForMultipleObjects ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWaitLowEventPair ntdll.dll!NtWorkerFactoryWorkerReady ntdll.dll!NtWriteFile ntdll.dll!NtWriteVirtualMemory ntdll.dll!NtYieldExecution UNKNOWN win32u.dll!NtGdiBitBlt win32u.dll!NtGdiCreateBitmap win32u.dll!NtGdiCreateCompatibleDC 22 additional items are not displayed above.
Network Winsock2	WSAConnect WSASocket WSAStartup
Network Winsock	closesocket getpeername setsockopt

Shell Command Execution


							"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Enc UgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBhAHAAcABfAHMAdABvAHIAZQAuAGUAeABlACcAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnAEMAOgBcAFUAcwBlAHIAcwBcAFQAbwBhAG8AaABhAG0AdgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBwAHAAXwBzAHQAbwByAGUALgBlAHgAZQAnACkAIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBPAG4AYwBlACAALQBBAHQAIAAoAEcAZQB0AC0ARABhAHQAZQApACAALQBSAGUAcABlAHQAaQB0AGkAbwBuAEkAbgB0AGUAcgB2AGEAbAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAE0AaQBuAHUAdABlAHMAIAA1ACkAKQAgAC0AVQBzAGUAcgAgACQAZQBuAHYAOgBVAHMAZQByAE4AYQBtAGUAIAAtAFIAdQBuAEwAZQB2AGUAbAAgAEgAaQBnAGgAZQBzAHQAIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBTAGUAYwBvAG4AZABzACAAMAApACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwApACAALQBGAG8AcgBjAGUA


							"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Enc UgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBhAHMAZABhAHMAZAAuAGUAeABlACcAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEQAdgBuAHUAbgB1AG0AYgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAYQBzAGQAYQBzAGQALgBlAHgAZQAnACkAIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBPAG4AYwBlACAALQBBAHQAIAAoAEcAZQB0AC0ARABhAHQAZQApACAALQBSAGUAcABlAHQAaQB0AGkAbwBuAEkAbgB0AGUAcgB2AGEAbAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAE0AaQBuAHUAdABlAHMAIAA1ACkAKQAgAC0AVQBzAGUAcgAgACQAZQBuAHYAOgBVAHMAZQByAE4AYQBtAGUAIAAtAFIAdQBuAEwAZQB2AGUAbAAgAEgAaQBnAGgAZQBzAHQAIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBTAGUAYwBvAG4AZABzACAAMAApACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwApACAALQBGAG8AcgBjAGUA

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

Trojan.MSIL.Krypt.ABTRA

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

Windows PE Version Information

Windows PE Version Information

File Traits

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

American Express - Sign-in Attempt Was Blocked Scam

Issue Affecting The Delivery Of Messages Email Scam

Triclyde Ransomware

Most Viewed

How To Fix 'Printer Driver is Unavailable' Error

Discord Is Stuck on Gray Screen

Discord Shows Black Screen when Sharing Screen