Multi-License Discount Quote

Change Region

English
Threat Database Stealers Trojan.MSIL.Stealer.L

Trojan.MSIL.Stealer.L

By CagedTech in Stealers, Trojans

Threat Scorecard

Popularity Rank: 11,793
Threat Level: 80 % (High)
Infected Computers: 9,207
First Seen: December 21, 2021
Last Seen: March 18, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.MSIL.Stealer.L
Signature status: Hash Mismatch

Known Samples

MD5: 84a7213a0907ff10d3fc06429637c39b
SHA1: 7deb0984d18603173b82ec2913b78aa5eb582974
File Size: 1.79 MB, 1789248 bytes
MD5: 4a4f6edf3b4b321353a97c7627a9c36a
SHA1: ea9174a95b1812f6f8f452f39e75c914b566749e
SHA256: 81AA69CCA2D48908D212944402A6CF6BA202B47FF855ED7B6ABEB15B5CE099DE
File Size: 569.34 KB, 569344 bytes
MD5: bb753fdfe74f35814d51093d47fe2bc7
SHA1: 24a2a1fdb95fb0c705e5cde7d9e3cb12a0a06c84
SHA256: 484D46EFDC250C5CC1C4BCBAEBE39E2F3A3AB35225DE38E54C420E0A5A580C0C
File Size: 906.56 KB, 906560 bytes
MD5: 9ef66628c3c952ce92e8ddeeb1d7eaa3
SHA1: f215fc9cde636e4fa3fa9e17e479e6b8b8cadff1
SHA256: 9D0C9AA7A404232EE2AA3840A8C7D10925D3C56E794FB1FC663FCBE3B7A82CC1
File Size: 1.54 MB, 1535480 bytes
MD5: c0ff5df3aba4b3ff7de1ba8f2ca6e889
SHA1: 939c80b546f5913a72192a132c61a98349b98d97
SHA256: F3959EA809FAB649143DCAC043C29883949581EB346AD971A5860D166DCE8016
File Size: 1.31 MB, 1313792 bytes
Show More
MD5: af9e941533661388d6753acd4b01835e
SHA1: a7a3cc3c777a1e7072468eeed066e2fa579fa8bf
SHA256: 649B3A14F8EE509E9FE9D5FA9005C54B097EACD4D1DB6DD5CF5AA5EFDA139286
File Size: 414.02 KB, 414016 bytes
MD5: b3b0d320da6beed2b920d482aa22ff70
SHA1: 21a08244f0566029b440a164a0bccdb118b5d849
SHA256: 1ABEC3EA75FA09082C5F5B2E1FB83E6FF8BB1E1D6DFEAACCAA1EAA8F94482BBA
File Size: 487.94 KB, 487936 bytes
MD5: c38fb3d549afdfd4c9979cf97fbda2b5
SHA1: d7cdc99e83c1470907b14b49764bd36ed2387642
SHA256: 90AD3FB7B8D1C426EDF2E713C07E383229511493754324C6F926AD2088B608E5
File Size: 415.86 KB, 415856 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File is .NET application
  • File is 32-bit executable
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
Show More
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version
  • 9.2.1.2
  • 3.5.6.0
  • 1.0.0.3
  • 1.0.0.0
Comments
  • eFootball No Crowd & FPS unlocking
  • Install
Company Name
  • Ahmed Suror
  • Install
File Description
  • Chicken
  • Corbie
  • Digital
  • eFootball No Crowd & FPS unlocking
  • Install
  • Purpose
File Version
  • 4.0.1.2
  • 3.6.0.0
  • 1.0.0.3
  • 1.0.0.0
Internal Name
  • Chicken.exe
  • Digital.exe
  • eFootballPatcher.exe
  • Install.exe
  • Paradise.exe
  • Purpose.exe
Legal Copyright
  • Copyright © 2023
  • Copyright © 2025
  • Copyright © 2029
  • Copyright © Ahmed Suror 2009 - 2024
Legal Trademarks
  • AS
  • Install
Original Filename
  • Chicken.exe
  • Digital.exe
  • eFootballPatcher.exe
  • Install.exe
  • Paradise.exe
  • Purpose.exe
Product Name
  • Chicken
  • Corbie
  • Digital
  • eFootball Patcher
  • Install
  • Purpose
Product Version
  • 4.0.1.2
  • 3.6-build20
  • 1.0.0.3
  • 1.0.0.0

Digital Signatures

Signer Root Status
NetEase (Hangzhou) Network Co., Ltd DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 Hash Mismatch
Microsoft Corporation Microsoft Code Signing PCA 2010 Hash Mismatch
Microsoft Corporation Microsoft Code Signing PCA 2011 Hash Mismatch

File Traits

  • .NET
  • CreateThread
  • GenKrypt
  • HighEntropy
  • Installer Version
  • No Version Info
  • Reactor
  • Reflective
  • RijndaelManaged
  • x64
Show More
  • x86

Block Information

Total Blocks: 58
Potentially Malicious Blocks: 4
Whitelisted Blocks: 54
Unknown Blocks: 0

Visual Map

0 x 0 0 x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • MSIL.Agent.LOD
  • MSIL.Agent.ONR
  • MSIL.Agent.XFB
  • MSIL.Agent.XY
  • MSIL.AgentTesla.DH
Show More
  • MSIL.AgentTesla.LP
  • MSIL.AgentTesla.PH
  • MSIL.Bladabindi.LB
  • MSIL.Bladabindi.LE
  • MSIL.Coinminer.AH
  • MSIL.DllInject.Z
  • MSIL.Downloader.PFA
  • MSIL.Downloader.PFB
  • MSIL.Dropper.XC
  • MSIL.Krypt.D
  • MSIL.Krypt.GJLD
  • MSIL.Krypt.MJC
  • MSIL.Krypt.MJG
  • MSIL.Krypt.OFB
  • MSIL.Krypt.POB
  • MSIL.Kryptik.SA
  • MSIL.Mardom.AJ
  • MSIL.Mardom.JG
  • MSIL.Mardom.TJA
  • MSIL.Mardom.TK
  • MSIL.Quasar.I
  • MSIL.Redline.AR
  • MSIL.Stealer.KU
  • MSIL.Ursu.TJG

Files Modified

File Attributes
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\3acf660917f73e764d4410bf1eaa48f5 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\fee33ce020c970ea56929081c2d05808 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\3acf660917f73e764d4410bf1eaa48f5 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\fee33ce020c970ea56929081c2d05808 Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\systemcertificates\ca\certificates\be68d0adaa2345b48e507320b695d386080e5b25::blob RegNtPreCreateKey
HKCU\software\microsoft\systemcertificates\ca\certificates\31600991ed5fec63d355a5484a6dcc787ead89bc::blob RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix Cookie: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix Visited: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey

Windows API Usage

Category API
User Data Access
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
Process Terminate
  • TerminateProcess
Other Suspicious
  • AdjustTokenPrivileges
Process Manipulation Evasion
  • NtUnmapViewOfSection
Encryption Used
  • BCryptOpenAlgorithmProvider
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateThreadEx
Show More
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtYieldExecution
  • UNKNOWN

Related Posts

Trending

Most Viewed

Loading...