Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.MSIL.Pontoeb.A

Trojan.MSIL.Pontoeb.A

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 19,215
Threat Level: 80 % (High)
Infected Computers: 203
First Seen: June 17, 2021
Last Seen: November 22, 2025
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.MSIL.Pontoeb.A
Signature status: No Signature

Known Samples

MD5: 3d98bb682cb93456d69c356bd86369e0
SHA1: cec063cb22672d46f59b9e1c2b66be45089aceea
SHA256: 4E67E4DE54C5C7CD45ED85D4069CE384B0533950755B0924EC37463180947019
File Size: 273.92 KB, 273920 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have security information
  • File is .NET application
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

Windows PE Version Information

Name Value
Assembly Version 1.0.0.0
Comments RMM Client
File Description Client
File Version 1.0.0.0
Internal Name Client.exe
Original Filename Client.exe
Product Name Client
Product Version 1.0.0.0

File Traits

  • .NET
  • CryptUnprotectData
  • No CryptProtectData
  • ntdll
  • Run
  • x86

Block Information

Total Blocks: 389
Potentially Malicious Blocks: 3
Whitelisted Blocks: 125
Unknown Blocks: 261

Visual Map

0 0 0 0 ? 0 ? ? ? ? ? ? ? ? ? ? ? 0 ? ? 0 0 0 0 0 ? 0 ? ? 0 ? ? ? 0 0 0 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? x ? ? ? 0 ? ? ? ? ? ? ? ? ? 0 ? ? 0 ? ? ? 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? x ? ? 0 ? ? ? 0 ? ? 0 0 ? ? ? ? ? 0 ? ? 0 ? 0 0 ? ? ? ? ? 0 0 0 ? ? x ? 0 ? ? ? ? 0 0 ? ? ? ? ? ? ? 0 ? ? ? ? ? ? 0 ? ? 0 ? ? ? ? ? ? ? ? 0 0 0 0 ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? 0 0 0 0 ? ? ? 0 0 0 ? ? 0 ? 0 0 0 0 0 ? 0 ? ? ? ? ? ? ? 0 ? 0 ? ? ? ? ? ? ? ? ? ? 0 ? ? 0 0 0 ? 0 0 ? 0 ? 0 0 0 0 0 ? 0 0 0 ? ? ? ? ? 0 ? 0 ? ? ? 0 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 ? 0 0 0 0 0 0 0 ? 0 ? 0 ? 0 ? 0 ? ? ? ? 0 0 ? ? ? ? ? ? ? 0 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\browserdata_upugbvdklo.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\cec063cb22672d46f59b9e1c2b66be45089aceea_0000273920 Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\cec063cb22672d46f59b9e1c2b66be45089aceea_0000273920 Synchronize,Write Attributes
c:\users\user\appdata\local\temp\client_debug.log Generic Write,Read Attributes
c:\users\user\appdata\roaming\microsoft\windows\update\cec063cb22672d46f59b9e1c2b66be45089aceea_0000273920 Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows\update\cec063cb22672d46f59b9e1c2b66be45089aceea_0000273920 Synchronize,Write Attributes
c:\windows\temp\cec063cb22672d46f59b9e1c2b66be45089aceea_0000273920 Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\windows\temp\cec063cb22672d46f59b9e1c2b66be45089aceea_0000273920 Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableconsoletracing RegNtPreCreateKey
Show More
HKLM\software\microsoft\tracing\rasmancs::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filedirectory %windir%\tracing RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePortSection
  • ntdll.dll!NtAlpcCreateSectionView
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcQueryInformationMessage
Show More
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtQueueApcThread
  • ntdll.dll!NtQueueApcThreadEx2
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSetTimerEx
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtUnsubscribeWnfStateChange
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory

5 additional items are not displayed above.

User Data Access
  • GetComputerName
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserObjectInformation
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext
Network Winsock2
  • WSAConnect
  • WSASocket
  • WSAStartup
  • WSAttemptAutodialName
Network Winsock
  • closesocket
  • freeaddrinfo
  • getaddrinfo
  • recv
  • send
  • setsockopt
Network Winhttp
  • WinHttpOpen
Network Info Queried
  • GetAdaptersAddresses
  • GetNetworkParams
Other Suspicious
  • AdjustTokenPrivileges
Process Shell Execute
  • CreateProcess
Anti Debug
  • IsDebuggerPresent

Shell Command Execution

"schtasks.exe" /delete /tn "WindowsUpdate" /f
"schtasks.exe" /create /tn "WindowsUpdate" /tr "c:\users\user\downloads\cec063cb22672d46f59b9e1c2b66be45089aceea_0000273920" /sc minute /mo 1 /f

Trending

Most Viewed

Loading...