Trojan.Parite.FA
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Parite.FA |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
f1977e945d4336ed360da35e7ac0e4a9
SHA1:
03015a8e6fcf13639d465c4d5aa6d3bbd51da171
SHA256:
79D084DC93BB205AC79833D01310875D9C77DBB1D0962375E82AD01F38C0935B
File Size:
1.07 MB, 1073120 bytes
|
|
MD5:
dabb5479bc995c4413ae157ba73e7484
SHA1:
49a7ad7ec6db1a307c18f73735a4500c95af24f0
SHA256:
64A3D4D21C6C00ADFF67CFE468CA2F0D5DB7BB320F37A4D0273CF782AD4EFE6B
File Size:
373.78 KB, 373784 bytes
|
|
MD5:
bd52d0855f703b72872fa1b729429fb5
SHA1:
19d5d521d405c03b2e79fb2126ad897984c9dbbd
SHA256:
B4A7B47ACF0F4FB93BA47499FD4A801AFDC59CD1D898A2F8460B2BBBD44593D3
File Size:
376.71 KB, 376712 bytes
|
|
MD5:
600be80a0a3166b5a82a37cd6ca96419
SHA1:
c04f3c925210716d20da8f848f75cf76f745d55b
SHA256:
AB185117E460B5AECC2EF598A04B5EE2B8F78DD717F0C91F61354C7CFA58BC66
File Size:
370.66 KB, 370656 bytes
|
|
MD5:
a863aeee69811981aeede16db886ab4a
SHA1:
dc9d8a01b68064527bc57fcbcb5148c5e46f61cb
SHA256:
0ED975D0790C65DC455F16894AF987CBC0B04E754BFC54E9112DFC9FED7C2F8F
File Size:
2.63 MB, 2632824 bytes
|
Show More
|
MD5:
5e43529c36de81da42afb9c16fc482c9
SHA1:
86acfbce0354c72aef7bdb41b3dd5226ba1e5e97
SHA256:
F0F90595FF318EE6CA0FFF2A7B166C175A69C656028282DD7787E0DF85963231
File Size:
405.29 KB, 405288 bytes
|
|
MD5:
921bf4e6e53b6d209ed413694ae32e74
SHA1:
b6b805f10f58444748ab8af210b48751008fe9af
SHA256:
5E43CC4D90A3992A45316602DCB480919BF4DC6253A9D8A717F2517C4810DE36
File Size:
628.58 KB, 628584 bytes
|
|
MD5:
ed57483cd01de1107c8ea7dab81be9c1
SHA1:
f3ef22810172d67be5ff4dc367d454e2484cda42
SHA256:
34693391392486984C04B9A81FE88E0B9B134B99E79156F144CE4E84D3E02A22
File Size:
730.10 KB, 730096 bytes
|
|
MD5:
b3558eb15b071e8289796ce05fc014ac
SHA1:
55cd76ad12c2e40145520349adb96a2625418d7a
SHA256:
BC4F2B7F1C3FCC79280BE0E8B35948F6C55D26A3F044EDB08A26DC6A35A7B1A7
File Size:
3.62 MB, 3620856 bytes
|
|
MD5:
d9adca8c99e176e1306c298bb8a6369e
SHA1:
28084b546f364b3f23c77bd7f5e3d542663a4375
SHA256:
C62547B2F828E722BC5C391361C6505876F9FF9E4105324B239ACF17163DED41
File Size:
665.88 KB, 665880 bytes
|
|
MD5:
a5037308d7d77f100fce8ec703b6ea4a
SHA1:
67e8987cffa47467cd2b48e57f1d7a4a874d9ec4
SHA256:
383FAC768ABAE6FE94DC933D0077DB4FA91368958BD4F1F977B709CA925F5A33
File Size:
979.97 KB, 979968 bytes
|
|
MD5:
c6609ee9666e055414386d7ecb9d0e58
SHA1:
8528bf12e71f085195aadda4208e3f02870c6aca
SHA256:
DBFC4A9FBE966778CEC9FF45F41C52214FF9CC8DC2B4BA6C5B82ACC028DCF8C5
File Size:
1.97 MB, 1967384 bytes
|
|
MD5:
6151828a33dfa9033dfeccbd57e250e4
SHA1:
22a00272bac5c65782e376dc5d428aa4274e9706
SHA256:
2A6880FABC5109005D2B9A3C9BCB7244E348B03F0523DF46D278EC0CCB03489B
File Size:
345.22 KB, 345224 bytes
|
|
MD5:
b0c3792a7fc9f430eb4b89cbb81ceaeb
SHA1:
f49229bd1d599013e61323105ea48e9c47bc7c8f
SHA256:
D578C69CA3FE004019FC4BB87B7BB90EF94A62A8CDFB1A3A26AFA72FD70FB2C4
File Size:
396.45 KB, 396448 bytes
|
|
MD5:
5d7fe52e5866c0d527262215b2e44288
SHA1:
253ea2cc5ec4484f67dc45b017fb098bf1cb8004
SHA256:
3F48EA7C609404FF85E2785ADBB626D5388EC8FB3F57FCAD19F5363B8CFDCD26
File Size:
569.86 KB, 569856 bytes
|
|
MD5:
d18f772663a740b23b62fa84a8552b36
SHA1:
dda63014ec48b6d4d3d2d88247bbb8cb1c70bbed
SHA256:
8C9774B4589E56F2696170DB9030A05640F2929DE7F2B086C51C9F0CE3C1A7A2
File Size:
531.33 KB, 531328 bytes
|
|
MD5:
420273394eb4d01d236e2ca7e2f81016
SHA1:
50d3f8771d3f355f6889a7594a313ac16add30ce
SHA256:
51DBFE1E56DDFA00D62EC0D012D44A0C3616AA02E6B816EFA92E005BEA22F13D
File Size:
1.56 MB, 1562856 bytes
|
|
MD5:
1480a622468b3235b91c72fbc70a4207
SHA1:
cfeac955c044dda62d54bb82474570605e834332
SHA256:
A97280C7B9021AB733D622AF6368FBF5BBC39075848671C29F41726D47EB30DB
File Size:
426.65 KB, 426648 bytes
|
|
MD5:
4a0b9a0de1489c15b38d5d113e63ac2a
SHA1:
c5dd297455f3a45fd6a279e497a5615b7fe9db2e
SHA256:
656842AED22FA66EEAE75CCE539DC70B5683D904EB096D17C2EF7BF3E075F019
File Size:
627.20 KB, 627200 bytes
|
|
MD5:
19229548c57563505af98562554fa64e
SHA1:
851141b715d0cc6213a9fb5d83cc23033d671372
SHA256:
6EBB8904026C11F88A96A158E146D057B34D69C1DEFC6A2A4A890CC27C1A465A
File Size:
2.29 MB, 2294488 bytes
|
|
MD5:
6e9310aaca45733c1440f0e0e2aebaa5
SHA1:
98de93ff0ffacf376faf572f9deb16282e3993fb
SHA256:
35265E6F3DCB6965D9B82CEC7B2B02594B8F6DA9554D0395DC787AFDE459B4DC
File Size:
339.38 KB, 339376 bytes
|
|
MD5:
2a7750ed5b56a79b0fb368e16fb11279
SHA1:
cae8e29bac8196c08d9b92fa533705220425af6e
SHA256:
EDED9D0FD762685FA4FD5DF8234F3C0778BB6433C8AB975413C8720B4D0C15BC
File Size:
659.16 KB, 659160 bytes
|
|
MD5:
e2b329d4c69ff0f5eb0931a9cc139c65
SHA1:
1d2026f6219e730ae8631cdbc92f8a9f08466519
SHA256:
7EB2FDDFF7A8F632DADC642FDF1477F7F17C9B92B1619F595C9DD278C1783EF9
File Size:
549.78 KB, 549784 bytes
|
|
MD5:
136d71f7c7bfd87c67a132874ebe4293
SHA1:
316f4d9db064d04aa45cd07b32a9f5831644afe6
SHA256:
3FA9F8FE97D933B52BD77AAC4453E4F77E5A5238B4A0454DF64F085D8B082F43
File Size:
971.51 KB, 971512 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
Show More
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.Show More
34 additional icons are not displayed above.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Assembly Version |
|
| Coder | By BlueLife |
| Comments |
|
| Company Name |
Show More
|
| File Description |
Show More
|
| File Version |
Show More
|
| Internal Name |
Show More
|
| Legal Copyright |
Show More
|
| Legal Trademarks | IObit |
| Original Filename |
Show More
|
| Private Build | Build 146199 |
| Product Name |
Show More
|
| Product Version |
Show More
|
| Source Control I D | 8563863 |
File Traits
- 2+ executable sections
- big overlay
- HighEntropy
- Inno
- InnoSetup Installer
- Installer Manifest
- Installer Version
- No Version Info
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 284 |
|---|---|
| Potentially Malicious Blocks: | 104 |
| Whitelisted Blocks: | 162 |
| Unknown Blocks: | 18 |
Visual Map
0
0
0
0
0
0
0
0
0
?
?
?
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
0
x
0
x
x
0
x
x
x
0
0
0
0
x
0
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
x
x
0
0
x
0
0
x
0
x
x
0
0
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
x
0
0
0
x
0
0
0
0
0
x
x
x
0
0
x
x
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
x
x
0
0
0
0
0
0
x
0
0
x
x
x
x
x
0
0
x
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Jeefo.A
- Parite.F
- Parite.FA
- Parite.W
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\namedpipe\gmdasllogger | Generic Write,Read Attributes |
| \device\namedpipe\sgdownloadpipenew2 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 786432 |
| c:\program files (x86)\common files\microsoft shared\msinfo\msinfo32.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\electronic arts\ea desktop\logs\igoproxy_f49229bd1d599013e61323105ea48e9c47bc7c8f_0000396448.log | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\00790b9c_rar\316f4d9db064d04aa45cd07b32a9f5831644afe6_0000971512 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\00790b9c_rar\316f4d9db064d04aa45cd07b32a9f5831644afe6_0000971512 | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\00790bab_rar\316f4d9db064d04aa45cd07b32a9f5831644afe6_0000971512 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\00790bab_rar\316f4d9db064d04aa45cd07b32a9f5831644afe6_0000971512 | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\00790c96_rar\316f4d9db064d04aa45cd07b32a9f5831644afe6_0000971512 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\00790c96_rar\316f4d9db064d04aa45cd07b32a9f5831644afe6_0000971512 | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
Show More
| c:\users\user\appdata\local\temp\00790d61_rar\316f4d9db064d04aa45cd07b32a9f5831644afe6_0000971512 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\00790d61_rar\316f4d9db064d04aa45cd07b32a9f5831644afe6_0000971512 | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\00790e3c_rar\316f4d9db064d04aa45cd07b32a9f5831644afe6_0000971512 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\00790e3c_rar\316f4d9db064d04aa45cd07b32a9f5831644afe6_0000971512 | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\316f4d9db064d04aa45cd07b32a9f5831644afe6_0000971512 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\316f4d9db064d04aa45cd07b32a9f5831644afe6_0000971512 | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\316f4d9db064d04aa45cd07b32a9f5831644afe6_0000971512 | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\3582-490\c5dd297455f3a45fd6a279e497a5615b7fe9db2e_0000627200 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-lsn1o.tmp\8528bf12e71f085195aadda4208e3f02870c6aca_0001967384.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-ugnrv.tmp\_isetup\_regdll.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\is-ugnrv.tmp\_isetup\_setup64.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\is-ugnrv.tmp\_isetup\_shfoldr.dll | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\is-ugnrv.tmp\firewallinstallhelper.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nemux-downloader-39fc59e8-ec09-4806-9a38-1582e5479b62.log | Generic Write,Read Attributes |
| c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\698460a0b6e60f2f602361424d832905_8bb23d43de574e82f2bee0df0ec47eeb | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\8ec9b1d0abbd7f98b401d425828828ce_0f573fcd857350c13752ea188f27d043 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\c8e534ee129f27d55460ce17fd628216_1130d9b25898b0db0d4f04dc5b93f141 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\698460a0b6e60f2f602361424d832905_8bb23d43de574e82f2bee0df0ec47eeb | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\8ec9b1d0abbd7f98b401d425828828ce_0f573fcd857350c13752ea188f27d043 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\c8e534ee129f27d55460ce17fd628216_1130d9b25898b0db0d4f04dc5b93f141 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\03015a8e6fcf13639d465c4d5aa6d3bbd51da171_0001073120 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\03015a8e6fcf13639d465c4d5aa6d3bbd51da171_0001073120 | Generic Write,Read Attributes |
| c:\users\user\downloads\03015a8e6fcf13639d465c4d5aa6d3bbd51da171_0001073120 | Synchronize,Write Attributes |
| c:\users\user\downloads\19d5d521d405c03b2e79fb2126ad897984c9dbbd_0000376712 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\19d5d521d405c03b2e79fb2126ad897984c9dbbd_0000376712 | Generic Write,Read Attributes |
| c:\users\user\downloads\19d5d521d405c03b2e79fb2126ad897984c9dbbd_0000376712 | Synchronize,Write Attributes |
| c:\users\user\downloads\1d2026f6219e730ae8631cdbc92f8a9f08466519_0000549784 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\1d2026f6219e730ae8631cdbc92f8a9f08466519_0000549784 | Generic Write,Read Attributes |
| c:\users\user\downloads\1d2026f6219e730ae8631cdbc92f8a9f08466519_0000549784 | Synchronize,Write Attributes |
| c:\users\user\downloads\22a00272bac5c65782e376dc5d428aa4274e9706_0000345224 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\22a00272bac5c65782e376dc5d428aa4274e9706_0000345224 | Generic Write,Read Attributes |
| c:\users\user\downloads\22a00272bac5c65782e376dc5d428aa4274e9706_0000345224 | Synchronize,Write Attributes |
| c:\users\user\downloads\253ea2cc5ec4484f67dc45b017fb098bf1cb8004_0000569856 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\253ea2cc5ec4484f67dc45b017fb098bf1cb8004_0000569856 | Generic Write,Read Attributes |
| c:\users\user\downloads\253ea2cc5ec4484f67dc45b017fb098bf1cb8004_0000569856 | Synchronize,Write Attributes |
| c:\users\user\downloads\28084b546f364b3f23c77bd7f5e3d542663a4375_0000665880 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\28084b546f364b3f23c77bd7f5e3d542663a4375_0000665880 | Generic Write,Read Attributes |
| c:\users\user\downloads\28084b546f364b3f23c77bd7f5e3d542663a4375_0000665880 | Synchronize,Write Attributes |
| c:\users\user\downloads\316f4d9db064d04aa45cd07b32a9f5831644afe6_0000971512 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\316f4d9db064d04aa45cd07b32a9f5831644afe6_0000971512 | Generic Write,Read Attributes |
| c:\users\user\downloads\316f4d9db064d04aa45cd07b32a9f5831644afe6_0000971512 | Synchronize,Write Attributes |
| c:\users\user\downloads\49a7ad7ec6db1a307c18f73735a4500c95af24f0_0000373784 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\49a7ad7ec6db1a307c18f73735a4500c95af24f0_0000373784 | Generic Write,Read Attributes |
| c:\users\user\downloads\49a7ad7ec6db1a307c18f73735a4500c95af24f0_0000373784 | Synchronize,Write Attributes |
| c:\users\user\downloads\50d3f8771d3f355f6889a7594a313ac16add30ce_0001562856 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\50d3f8771d3f355f6889a7594a313ac16add30ce_0001562856 | Generic Write,Read Attributes |
| c:\users\user\downloads\50d3f8771d3f355f6889a7594a313ac16add30ce_0001562856 | Synchronize,Write Attributes |
| c:\users\user\downloads\55cd76ad12c2e40145520349adb96a2625418d7a_0003620856 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\55cd76ad12c2e40145520349adb96a2625418d7a_0003620856 | Generic Write,Read Attributes |
| c:\users\user\downloads\55cd76ad12c2e40145520349adb96a2625418d7a_0003620856 | Synchronize,Write Attributes |
| c:\users\user\downloads\67e8987cffa47467cd2b48e57f1d7a4a874d9ec4_0000979968 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\67e8987cffa47467cd2b48e57f1d7a4a874d9ec4_0000979968 | Generic Write,Read Attributes |
| c:\users\user\downloads\67e8987cffa47467cd2b48e57f1d7a4a874d9ec4_0000979968 | Synchronize,Write Attributes |
| c:\users\user\downloads\851141b715d0cc6213a9fb5d83cc23033d671372_0002294488 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\851141b715d0cc6213a9fb5d83cc23033d671372_0002294488 | Generic Write,Read Attributes |
| c:\users\user\downloads\851141b715d0cc6213a9fb5d83cc23033d671372_0002294488 | Synchronize,Write Attributes |
| c:\users\user\downloads\8528bf12e71f085195aadda4208e3f02870c6aca_0001967384 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\8528bf12e71f085195aadda4208e3f02870c6aca_0001967384 | Generic Write,Read Attributes |
| c:\users\user\downloads\8528bf12e71f085195aadda4208e3f02870c6aca_0001967384 | Synchronize,Write Attributes |
| c:\users\user\downloads\86acfbce0354c72aef7bdb41b3dd5226ba1e5e97_0000405288 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\86acfbce0354c72aef7bdb41b3dd5226ba1e5e97_0000405288 | Generic Write,Read Attributes |
| c:\users\user\downloads\86acfbce0354c72aef7bdb41b3dd5226ba1e5e97_0000405288 | Synchronize,Write Attributes |
| c:\users\user\downloads\98de93ff0ffacf376faf572f9deb16282e3993fb_0000339376 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\98de93ff0ffacf376faf572f9deb16282e3993fb_0000339376 | Generic Write,Read Attributes |
| c:\users\user\downloads\98de93ff0ffacf376faf572f9deb16282e3993fb_0000339376 | Synchronize,Write Attributes |
| c:\users\user\downloads\b6b805f10f58444748ab8af210b48751008fe9af_0000628584 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\b6b805f10f58444748ab8af210b48751008fe9af_0000628584 | Generic Write,Read Attributes |
| c:\users\user\downloads\b6b805f10f58444748ab8af210b48751008fe9af_0000628584 | Synchronize,Write Attributes |
| c:\users\user\downloads\c04f3c925210716d20da8f848f75cf76f745d55b_0000370656 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\c04f3c925210716d20da8f848f75cf76f745d55b_0000370656 | Generic Write,Read Attributes |
| c:\users\user\downloads\c04f3c925210716d20da8f848f75cf76f745d55b_0000370656 | Synchronize,Write Attributes |
| c:\users\user\downloads\c5dd297455f3a45fd6a279e497a5615b7fe9db2e_0000627200 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\c5dd297455f3a45fd6a279e497a5615b7fe9db2e_0000627200 | Generic Write,Read Attributes |
| c:\users\user\downloads\c5dd297455f3a45fd6a279e497a5615b7fe9db2e_0000627200 | Synchronize,Write Attributes |
| c:\users\user\downloads\cae8e29bac8196c08d9b92fa533705220425af6e_0000659160 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\cae8e29bac8196c08d9b92fa533705220425af6e_0000659160 | Generic Write,Read Attributes |
| c:\users\user\downloads\cae8e29bac8196c08d9b92fa533705220425af6e_0000659160 | Synchronize,Write Attributes |
| c:\users\user\downloads\cfeac955c044dda62d54bb82474570605e834332_0000426648 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\cfeac955c044dda62d54bb82474570605e834332_0000426648 | Generic Write,Read Attributes |
| c:\users\user\downloads\cfeac955c044dda62d54bb82474570605e834332_0000426648 | Synchronize,Write Attributes |
| c:\users\user\downloads\dc9d8a01b68064527bc57fcbcb5148c5e46f61cb_0002632824 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\dc9d8a01b68064527bc57fcbcb5148c5e46f61cb_0002632824 | Generic Write,Read Attributes |
| c:\users\user\downloads\dc9d8a01b68064527bc57fcbcb5148c5e46f61cb_0002632824 | Synchronize,Write Attributes |
| c:\users\user\downloads\dda63014ec48b6d4d3d2d88247bbb8cb1c70bbed_0000531328 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\dda63014ec48b6d4d3d2d88247bbb8cb1c70bbed_0000531328 | Generic Write,Read Attributes |
| c:\users\user\downloads\dda63014ec48b6d4d3d2d88247bbb8cb1c70bbed_0000531328 | Synchronize,Write Attributes |
| c:\users\user\downloads\f3ef22810172d67be5ff4dc367d454e2484cda42_0000730096 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\f3ef22810172d67be5ff4dc367d454e2484cda42_0000730096 | Generic Write,Read Attributes |
| c:\users\user\downloads\f3ef22810172d67be5ff4dc367d454e2484cda42_0000730096 | Synchronize,Write Attributes |
| c:\users\user\downloads\f49229bd1d599013e61323105ea48e9c47bc7c8f_0000396448 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\downloads\f49229bd1d599013e61323105ea48e9c47bc7c8f_0000396448 | Generic Write,Read Attributes |
| c:\users\user\downloads\f49229bd1d599013e61323105ea48e9c47bc7c8f_0000396448 | Synchronize,Write Attributes |
| c:\users\user\downloads\log.txt | Generic Write,Read Attributes |
| c:\users\user\downloads\squirrelsetup.log | Generic Write,Read Attributes |
| c:\users\user\downloads\steam_monitor.exe.log | Generic Write,Read Attributes |
| c:\windows\appcompat\programs\amcache.hve | Read Data,Read Control,Write Data |
| c:\windows\appcompat\programs\amcache.hve | Write Attributes |
| c:\windows\svchost.com | Generic Write,Read Attributes |
| c:\windows\svchost.exe | Generic Write,Read Attributes |
| c:\windows\system.ini | Generic Read,Write Data,Write Attributes,Write extended,Append data |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKLM\software\wow6432node\nemuserver::uuid | 34f98ab6-9a54-4c41-8be1-53566a0b0538 | RegNtPreCreateKey |
| HKLM\software\wow6432node\nemuserver::channel | nochannel | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | ꣵǜ | RegNtPreCreateKey |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect | RegNtPreCreateKey | |
| HKLM\software\classes\exefile\shell\open\command:: | C:\WINDOWS\svchost.com "%1" %* | RegNtPreCreateKey |
| HKLM\software\microsoft\systemcertificates\authroot\certificates\ddfb16cd4931c973a2037d3fc83a4d7d775d05e4::blob | RegNtPreCreateKey | |
| HKLM\software\microsoft\systemcertificates\authroot\certificates\ddfb16cd4931c973a2037d3fc83a4d7d775d05e4::blob | RegNtPreCreateKey |
Show More
| HKLM\system\software\microsoft\tip\aggregateresults::data | 馐ʊ耀Ś T 쎫ʝ耀誙꣗ߦ ÷ ⳛ˼耀塉 ¹ ⳛ˼耀塉 ⳛ˼䀀ᯙ鏾 隞̃儁耀꧌ ޫ Ŵ 䮑̛༺ 䮩̛耀ѷ꛵ | RegNtPreCreateKey |
| HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidden | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center::antivirusoverride | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center::antivirusdisablenotify | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center::firewalldisablenotify | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center::firewalloverride | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center::updatesdisablenotify | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center::uacdisablenotify | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center\svc::antivirusoverride | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center\svc::antivirusdisablenotify | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center\svc::firewalldisablenotify | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center\svc::firewalloverride | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center\svc::updatesdisablenotify | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\security center\svc::uacdisablenotify | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings::globaluseroffline | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows\currentversion\policies\system::enablelua | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::enablefirewall | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::donotallowexceptions | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::disablenotifications | RegNtPreCreateKey | |
| HKCU\software\apcr\1214104697::1919251317 | | RegNtPreCreateKey |
| HKCU\software\apcr\1214104697::-456464662 | RegNtPreCreateKey | |
| HKCU\software\apcr\1214104697::1462786655 | RegNtPreCreateKey | |
| HKCU\software\apcr\1214104697::-912929324 | # | RegNtPreCreateKey |
| HKCU\software\apcr\1214104697::1006321993 | ǜ | RegNtPreCreateKey |
| HKCU\software\apcr\1214104697::-1369393986 | http://www.ledyazilim.com/logo.gif http://ksandrafashion.com/l | RegNtPreCreateKey |
| HKCU\software\apcr\1214104697::549857331 | RegNtPreCreateKey | |
| HKCU\software\apcr::u1_0 | 䡴⬋ | RegNtPreCreateKey |
| HKCU\software\apcr::u2_0 | ᩣ | RegNtPreCreateKey |
| HKCU\software\apcr::u3_0 | 権ă | RegNtPreCreateKey |
| HKCU\software\apcr::u4_0 | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Process Manipulation Evasion |
|
| Process Shell Execute |
|
| Service Control |
|
| Other Suspicious |
|
| Anti Debug |
|
| User Data Access |
|
| Syscall Use |
Show More
17 additional items are not displayed above. |
| Network Winhttp |
|
| Encryption Used |
|
| Process Terminate |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\03015a8e6fcf13639d465c4d5aa6d3bbd51da171_0001073120"
|
"c:\users\user\downloads\03015a8e6fcf13639d465c4d5aa6d3bbd51da171_0001073120"
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\49a7ad7ec6db1a307c18f73735a4500c95af24f0_0000373784"
|
"c:\users\user\downloads\49a7ad7ec6db1a307c18f73735a4500c95af24f0_0000373784"
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\19d5d521d405c03b2e79fb2126ad897984c9dbbd_0000376712"
|
Show More
"c:\users\user\downloads\19d5d521d405c03b2e79fb2126ad897984c9dbbd_0000376712"
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\c04f3c925210716d20da8f848f75cf76f745d55b_0000370656"
|
"c:\users\user\downloads\c04f3c925210716d20da8f848f75cf76f745d55b_0000370656"
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\dc9d8a01b68064527bc57fcbcb5148c5e46f61cb_0002632824"
|
"c:\users\user\downloads\dc9d8a01b68064527bc57fcbcb5148c5e46f61cb_0002632824"
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\86acfbce0354c72aef7bdb41b3dd5226ba1e5e97_0000405288"
|
"c:\users\user\downloads\86acfbce0354c72aef7bdb41b3dd5226ba1e5e97_0000405288"
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\b6b805f10f58444748ab8af210b48751008fe9af_0000628584"
|
"c:\users\user\downloads\b6b805f10f58444748ab8af210b48751008fe9af_0000628584"
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\f3ef22810172d67be5ff4dc367d454e2484cda42_0000730096"
|
"c:\users\user\downloads\f3ef22810172d67be5ff4dc367d454e2484cda42_0000730096"
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\55cd76ad12c2e40145520349adb96a2625418d7a_0003620856"
|
"c:\users\user\downloads\55cd76ad12c2e40145520349adb96a2625418d7a_0003620856"
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\28084b546f364b3f23c77bd7f5e3d542663a4375_0000665880"
|
"c:\users\user\downloads\28084b546f364b3f23c77bd7f5e3d542663a4375_0000665880"
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\67e8987cffa47467cd2b48e57f1d7a4a874d9ec4_0000979968"
|
"c:\users\user\downloads\67e8987cffa47467cd2b48e57f1d7a4a874d9ec4_0000979968"
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\8528bf12e71f085195aadda4208e3f02870c6aca_0001967384"
|
"c:\users\user\downloads\8528bf12e71f085195aadda4208e3f02870c6aca_0001967384"
|
"C:\Users\Ttpiluew\AppData\Local\Temp\is-LSN1O.tmp\8528bf12e71f085195aadda4208e3f02870c6aca_0001967384.tmp" /SL5="$30328,262144,0,c:\users\user\downloads\8528bf12e71f085195aadda4208e3f02870c6aca_0001967384"
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\22a00272bac5c65782e376dc5d428aa4274e9706_0000345224"
|
"c:\users\user\downloads\22a00272bac5c65782e376dc5d428aa4274e9706_0000345224"
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\f49229bd1d599013e61323105ea48e9c47bc7c8f_0000396448"
|
"c:\users\user\downloads\f49229bd1d599013e61323105ea48e9c47bc7c8f_0000396448"
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\253ea2cc5ec4484f67dc45b017fb098bf1cb8004_0000569856"
|
"c:\users\user\downloads\253ea2cc5ec4484f67dc45b017fb098bf1cb8004_0000569856"
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\dda63014ec48b6d4d3d2d88247bbb8cb1c70bbed_0000531328"
|
"c:\users\user\downloads\dda63014ec48b6d4d3d2d88247bbb8cb1c70bbed_0000531328"
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\50d3f8771d3f355f6889a7594a313ac16add30ce_0001562856"
|
"c:\users\user\downloads\50d3f8771d3f355f6889a7594a313ac16add30ce_0001562856"
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\cfeac955c044dda62d54bb82474570605e834332_0000426648"
|
"c:\users\user\downloads\cfeac955c044dda62d54bb82474570605e834332_0000426648"
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\c5dd297455f3a45fd6a279e497a5615b7fe9db2e_0000627200"
|
"c:\users\user\downloads\c5dd297455f3a45fd6a279e497a5615b7fe9db2e_0000627200"
|
open C:\Users\Nltarkdz\AppData\Local\Temp\3582-490\c5dd297455f3a45fd6a279e497a5615b7fe9db2e_0000627200
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\851141b715d0cc6213a9fb5d83cc23033d671372_0002294488"
|
"c:\users\user\downloads\851141b715d0cc6213a9fb5d83cc23033d671372_0002294488"
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\98de93ff0ffacf376faf572f9deb16282e3993fb_0000339376"
|
"c:\users\user\downloads\98de93ff0ffacf376faf572f9deb16282e3993fb_0000339376"
|
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\dw20.exe dw20.exe -x -s 1680
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\cae8e29bac8196c08d9b92fa533705220425af6e_0000659160"
|
"c:\users\user\downloads\cae8e29bac8196c08d9b92fa533705220425af6e_0000659160"
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\1d2026f6219e730ae8631cdbc92f8a9f08466519_0000549784"
|
"c:\users\user\downloads\1d2026f6219e730ae8631cdbc92f8a9f08466519_0000549784"
|
"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\316f4d9db064d04aa45cd07b32a9f5831644afe6_0000971512"
|
"c:\users\user\downloads\316f4d9db064d04aa45cd07b32a9f5831644afe6_0000971512"
|
"C:\Users\Iharpumz\AppData\Local\Temp\316f4d9db064d04aa45cd07b32a9f5831644afe6_0000971512"
|
"C:\WINDOWS\svchost.exe" "C:\Users\Iharpumz\AppData\Local\Temp\316f4d9db064d04aa45cd07b32a9f5831644afe6_0000971512"
|