Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.PShell.B

Trojan.PShell.B

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 10,169
Threat Level: 80 % (High)
Infected Computers: 939
First Seen: April 27, 2021
Last Seen: April 21, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.PShell.B
Signature status: No Signature

Known Samples

MD5: baa7e6e46d494de4a33c66dc8c9ce783
SHA1: fd268d52680785ce821825a635ee1f22cec9c97d
SHA256: D54B605A79C76760BACBB7CA5687D1C5CB139F5B1FC8C7B1244589C01EE248A0
File Size: 125.95 KB, 125952 bytes
MD5: efa1aef234159a52e73e7eeb48236194
SHA1: 55558a2b6911121dbea5e9a199d3225cb5e61829
SHA256: F6EFD3A1A7D8524B9BB614FD5506CB57F3328B0243997B5130DF00D996C85F7E
File Size: 163.33 KB, 163328 bytes
MD5: 83eba46f99454caea582e1fb44d204d9
SHA1: de931e29edcf21aacb1663ac83c742d9a4ecee78
SHA256: 57FBA527C7B54ED1EE16DCBB7E4513D1F50E57BB9C469E40EF57AF6C0214F501
File Size: 375.81 KB, 375808 bytes
MD5: ecf15cb8abcd092c35790a33dfee5d43
SHA1: 191c4692f38a1a7496db6ea5f86b551c4c2abfdb
SHA256: B2D469CC6F7AAF7B6F76054E96E65150BA5C9B75DDE4E52677765F765DACD106
File Size: 174.59 KB, 174592 bytes
MD5: da860981c3c753ccd2b950e743b2e858
SHA1: 5fa7a7df262ca7e3c08c7481e45ee18492bf0c94
SHA256: 582C715EDDC34CD904BBCBD1A75E9702FD8BB8F43C8A5DBA6F35BCC5B093FF89
File Size: 548.35 KB, 548352 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
Show More
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name
  • Alfonso Ferrara
  • Anss Studio Pvt Ltd
  • EGB Informática
  • operational-services
File Description
  • 2023 Dongle
  • By Eliomar Bertolot
  • Installa i driver automaticamente
  • Software-Compliance
File Version
  • 2023,20,0,1
  • 1,3,0,1
  • 1,0,0,0
Internal Name
  • 10X Pro V3 _X
  • Autodriver
Legal Copyright
  • Anss Studio
  • Eliomar Gonçalves Bertolot
Product Name
  • 10X Pro V3 _X
  • Autodriver
  • Cancel printing x64
  • SC-Modify
Product Version
  • 10.32.0.8750
  • 1.3.0.1
  • 1.0.0.0

File Traits

  • 2+ executable sections
  • HighEntropy
  • Installer Version
  • No Version Info
  • x64

Block Information

Total Blocks: 348
Potentially Malicious Blocks: 15
Whitelisted Blocks: 331
Unknown Blocks: 2

Visual Map

? 0 0 0 0 x x x x 0 x 0 x 0 x 0 0 x 0 x 0 x 0 0 0 x 0 ? x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.OCD
  • Bitcoinminer.B
  • Cryptobit.E
  • Gamehack.BQ
  • PShell.A
Show More
  • PShell.B
  • Trojan.Kryptik.Gen.DNO

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
c:\3a46.tmp\3a56.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\bb27.tmp\bb28.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\bf72.tmp\bf73.ps1 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\bf72.tmp\include\? Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\bf72.tmp\include\? Generic Write,Read Attributes
c:\bf72.tmp\include\lgpo.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\bf72.tmp\include\newrule.txt Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\bf72.tmp\include\sc.ico Generic Read,Write Data,Write Attributes,Write extended,Append data
Show More
c:\d18c.tmp\d18d.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\d94c.tmp\d94d.bat Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ᯐꆟ䕞ǜ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 쪊엿冈ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 迸옄冈ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 恆ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 섑恆ǜ RegNtPreCreateKey
Show More
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 〱눈ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAccessCheckByType
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcAcceptConnectPort
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePort
  • ntdll.dll!NtAlpcCreatePortSection
  • ntdll.dll!NtAlpcCreateSectionView
Show More
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelIoFileEx
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateNamedPipeFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateUserProcess
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtImpersonateAnonymousToken
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryEvent
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryTimerResolution
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory

21 additional items are not displayed above.

Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
  • WriteConsole
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation
Process Terminate
  • TerminateProcess
Process Manipulation Evasion
  • NtUnmapViewOfSection

Shell Command Execution

"C:\WINDOWS\system32\cmd" /c "\D18C.tmp\D18D.bat c:\users\user\downloads\fd268d52680785ce821825a635ee1f22cec9c97d_0000125952"
C:\WINDOWS\system32\mode.com mode con: cols=100 lines=8
C:\WINDOWS\System32\Wbem\WMIC.exe wmic csproduct get name
open C:\WINDOWS\system32\cmd /c "\3A46.tmp\3A56.bat c:\users\user\downloads\55558a2b6911121dbea5e9a199d3225cb5e61829_0000163328"
WriteConsole: The system canno
Show More
open C:\WINDOWS\system32\cmd /c "\D94C.tmp\D94D.bat c:\users\user\downloads\de931e29edcf21aacb1663ac83c742d9a4ecee78_0000375808"
WriteConsole:
WriteConsole: c:\users\user\do
WriteConsole: "C:\Program File
"C:\WINDOWS\system32\cmd" /c "\BB27.tmp\BB28.bat c:\users\user\downloads\191c4692f38a1a7496db6ea5f86b551c4c2abfdb_0000174592"
C:\WINDOWS\system32\net.exe net stop spooler
C:\WINDOWS\system32\net.exe net start spooler
"powershell" �NoProfile -ExecutionPolicy Bypass -File \BF72.tmp\BF73.ps1

Trending

Most Viewed

Loading...