Trojan.MSIL.Krypt.DSM
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.MSIL.Krypt.DSM |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
1edee2235908104682c42dfcc6eb9e1f
SHA1:
5d26bb5df90bc7e6f31b0ad38603db0e8287378a
File Size:
684.54 KB, 684544 bytes
|
|
MD5:
654a65df58602224ba1aeb4ae8cda260
SHA1:
e6cd1685ecc444fc0b680203af93daf9a1d7c861
File Size:
563.20 KB, 563200 bytes
|
|
MD5:
c575968b3df5f0a8b2a022d14fab01f6
SHA1:
f2c4138136c3bb7227d652ce8a17bd966e5c2477
File Size:
564.74 KB, 564736 bytes
|
|
MD5:
1ef3f4623579cefbcc900a2b242da2fb
SHA1:
c4a1cd1da3f72ea68738b459a9b4524c7eb1a1fe
File Size:
329.73 KB, 329728 bytes
|
|
MD5:
080caf6c300693dbcada721509025289
SHA1:
fe2259dc604422da76ab63b9369606b430cb31e5
File Size:
564.74 KB, 564736 bytes
|
Show More
|
MD5:
b94d3eebff6476dd5ebc101c113d9c33
SHA1:
1a2c1b663abd5e60d1b36cce9f635c3c321fbaa8
SHA256:
41C431DC6129D57E0DF76F13655B4211698A3E1457785E84E85DDD2C1A345E4B
File Size:
570.37 KB, 570368 bytes
|
|
MD5:
4d78cb349791b6776d2633922b15a275
SHA1:
ea11284df1efb782dd72f4208423392d4626a6ec
SHA256:
C074B71C08404244C0C255628BCE4ED016496CFC69C123E8AD5A557325F4EB7A
File Size:
565.25 KB, 565248 bytes
|
|
MD5:
599b8b6b1da353611d2cb69f42b6abe8
SHA1:
2ecd2c88a6e520b9fc55560f0bcbb07739896364
SHA256:
E18C0DE1C02B441DFD565886636022E976F1B2450E3928C43696B7B1018993AB
File Size:
568.83 KB, 568832 bytes
|
|
MD5:
36ac7209abb7af4c36b5884011678f99
SHA1:
94bda496e45763ed3696380a80097a84275eed20
SHA256:
C8CF2C9511D58A02D7B261D59F00B190F248533C5BD636C81A98E0B0FB818DAA
File Size:
568.32 KB, 568320 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File is .NET application
- File is 32-bit executable
- File is 64-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Assembly Version | 1.0.0.0 |
| File Version | 1.0.0.0 |
| Internal Name |
|
| Original Filename |
|
| Product Version | 1.0.0.0 |
File Traits
- .NET
- GenKrypt
- HighEntropy
- x64
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 7 |
|---|---|
| Potentially Malicious Blocks: | 2 |
| Whitelisted Blocks: | 1 |
| Unknown Blocks: | 4 |
Visual Map
?
x
x
?
?
0
?
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- MSIL.Krypt.DSM
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\namedpipe\pshost.133973821311183692.1568.defaultappdomain.powershell | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_nbcp3mgt.q23.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_xfww1hg0.0m0.ps1 | Generic Write,Read Attributes |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
20 additional items are not displayed above. |
| User Data Access |
|
| Encryption Used |
|
| Anti Debug |
|
| Other Suspicious |
|
| Network Winsock2 |
|
| Network Winsock |
|
| Process Shell Execute |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Enc UgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBEAHIAaQB2AGUAcgBTAHkAcwB0AGUAbQAuAGUAeABlACcAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnAEMAOgBcAFUAcwBlAHIAcwBcAE4AegB5AGQAagBoAHYAcwBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwARAByAGkAdgBlAHIAUwB5AHMAdABlAG0ALgBlAHgAZQAnACkAIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBPAG4AYwBlACAALQBBAHQAIAAoAEcAZQB0AC0ARABhAHQAZQApACAALQBSAGUAcABlAHQAaQB0AGkAbwBuAEkAbgB0AGUAcgB2AGEAbAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAE0AaQBuAHUAdABlAHMAIAA1ACkAKQAgAC0AVQBzAGUAcgAgACQAZQBuAHYAOgBVAHMAZQByAE4AYQBtAGUAIAAtAFIAdQBuAEwAZQB2AGUAbAAgAEgAaQBnAGgAZQBzAHQAIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBTAGUAYwBvAG4AZABzACAAMAApACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwApACAALQBGAG8AcgBjAGUA
|
