Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.MSIL.Spy.E

Trojan.MSIL.Spy.E

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 10,612
Threat Level: 80 % (High)
Infected Computers: 135
First Seen: April 28, 2021
Last Seen: March 4, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.MSIL.Spy.E
Signature status: No Signature

Known Samples

MD5: bc41a13565fb4d89a042cf4a2e17ba70
SHA1: dd58123c2e99ed3192bc26cb19c77bfc6edeb49f
SHA256: 2026D9BECC790FE1A8ABE0512239B82F31D018BD931756FAA4C27FDEC052E759
File Size: 176.13 KB, 176128 bytes
MD5: af80fe6bfc2668b3bbbcc033e75d47d3
SHA1: 8752060c689438dad1b61dba773e13b1e2c1629d
SHA256: 8E8C0B1CB08CED7A160DAB5E1CF931B3BAAEF0B714BCB21A53FBA1F2737CD1B8
File Size: 25.60 KB, 25600 bytes
MD5: 83a0e404c34c8fce7d57fc4b1f8c5731
SHA1: 7cc55f37a3f2d7bb647f37778e1c95d753ca2e46
SHA256: D831D696FB37B90EFD1B13356E7411F9832348B974194A6573FBDCE8E730A98E
File Size: 304.13 KB, 304128 bytes
MD5: b28e5327de7f41165f5cfb4d461a2f7c
SHA1: a4b020f4fa22c36f5c7731f3540a843a3ad5ec7d
SHA256: D1E428A974D6C15FDB81E4D362411B4290B706D5B2F355D84336BF928FC729AF
File Size: 25.60 KB, 25600 bytes
MD5: b41a274115eeff8a03be8edf9ca8d4d2
SHA1: 034dd54b19bd82adfc6630118b6cc9ca9443d070
SHA256: DA8053149C6684478414945D9F91CE43B083538068F747ECEF340F2F8BF16BCC
File Size: 688.13 KB, 688128 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have security information
  • File is .NET application
  • File is 32-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
Show More
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version
  • 1.6.2.0
  • 1.1.21.1
  • 1.0.0.0
Comments
  • A310 Logger
  • XHP Booster
Company Name
  • A310 Logger
  • Microsoft Corporation
File Description
  • A310 Logger
  • Chromium
  • Win32 Cabinet Self-Extractor
  • XHP
File Version
  • 12.9.1.22
  • 11.00.17763.1 (WinBuild.160101.0800)
  • 1.6.2.0
  • 1.0.0.0
Internal Name
  • a310logger.exe
  • Chromium.dll
  • Vibe.exe
  • Wextract
Legal Copyright
  • Copyright © 2021
  • hakanonymos Copyright © 2021
  • XHP Corporation Copyright © 2021
  • © Microsoft Corporation. All rights reserved.
Original Filename
  • a310logger.exe
  • Chromium.dll
  • Vibe.exe
  • WEXTRACT.EXE .MUI
Product Name
  • A310 Logger
  • Chromium
  • Internet Explorer
  • XHP booster
Product Version
  • 12.9.1.22
  • 11.00.17763.1
  • 1.6.2.0
  • 1.0.0.0

File Traits

  • .NET
  • CryptUnprotectData
  • dll
  • HighEntropy
  • Installer Version
  • No CryptProtectData
  • RijndaelManaged
  • Stealer
  • x86

Block Information

Similar Families

  • MSIL.Spy.E
  • MSIL.Stealer.RAR

Files Modified

File Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\si538296.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\si538296.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\tmp4351$.tmp Generic Write,Read Attributes,Delete
c:\users\user\appdata\local\temp\ixp000.tmp\un073107.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\un073107.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp001.tmp\pro9204.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp001.tmp\pro9204.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp001.tmp\qu9632.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp001.tmp\qu9632.exe Synchronize,Write Attributes
Show More
c:\users\user\appdata\local\temp\ixp001.tmp\tmp4351$.tmp Generic Write,Read Attributes,Delete
c:\windows\appcompat\programs\amcache.hve Read Data,Read Control,Write Data
c:\windows\appcompat\programs\amcache.hve.log1 Read Data,Write Data
c:\windows\appcompat\programs\amcache.hve.log2 Read Data,Write Data

Registry Modifications

Key::Value Data API Name
HKLM\software\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableconsoletracing RegNtPreCreateKey
Show More
HKLM\software\microsoft\tracing\rasmancs::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\runonce::wextract_cleanup0 rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Rgckpmfi\AppData\Local\Temp\IXP000.TMP\" RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\runonce::wextract_cleanup1 rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Rgckpmfi\AppData\Local\Temp\IXP001.TMP\" RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAdjustPrivilegesToken
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePortSection
  • ntdll.dll!NtAlpcCreateSectionView
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
Show More
  • ntdll.dll!NtAlpcQueryInformationMessage
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeleteValueKey
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtLoadKeyEx
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtQueueApcThread
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSetValueKey
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtTraceEvent
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtUnsubscribeWnfStateChange
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject

12 additional items are not displayed above.

User Data Access
  • GetComputerName
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext
Other Suspicious
  • AdjustTokenPrivileges
Network Winsock2
  • WSAConnect
  • WSASocket
  • WSAStartup
  • WSAttemptAutodialName
Network Winsock
  • closesocket
  • freeaddrinfo
  • getaddrinfo
  • inet_addr
  • recv
  • send
  • setsockopt
Network Winhttp
  • WinHttpOpen
Network Info Queried
  • GetAdaptersAddresses
  • GetNetworkParams
Process Shell Execute
  • CreateProcess
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory

Shell Command Execution

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\dw20.exe dw20.exe -x -s 1644
C:\Users\Rgckpmfi\AppData\Local\Temp\IXP000.TMP\un073107.exe
C:\Users\Rgckpmfi\AppData\Local\Temp\IXP001.TMP\pro9204.exe

Trending

Most Viewed

Loading...