Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.ShellcodeRunner.G

Trojan.ShellcodeRunner.G

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.ShellcodeRunner.G
Signature status: No Signature

Known Samples

MD5: a8550860f2a5954a6f352e9bae564375
SHA1: 89bc448ed52fe53fb882df00196204795018aaa5
File Size: 85.50 KB, 85504 bytes
MD5: c847868c14f92f2dab6274da1e994225
SHA1: f128163677acb51b07381904b6d2adb2982e4870
SHA256: F69600F97E6CF5D26D7B059420BC4F6FFEEE7AB16FE3AEA6ECF34D6DD1DFAD86
File Size: 898.05 KB, 898048 bytes
MD5: 102c101ad7ec09ab0b353ff7e76bc12b
SHA1: f33e06550df0b6908c64e3f0c68031a4fb51eb15
SHA256: A722A3F346D46A666EBE4E9DF5C43510025C00058F888C19C7CF269DAB516117
File Size: 366.59 KB, 366592 bytes
MD5: 6aa894c1576525b187e302d75fdba813
SHA1: 08637265861a0f3438349b8a8dc64cf6ce13f5cd
SHA256: 43C931844DBA76A1D3DDBD0F92F1FCBBDDB0F179D2F83B6CE5A3EC9A697B4D47
File Size: 181.76 KB, 181760 bytes
MD5: 523d4808a91d4e01780672d43309014e
SHA1: 39ec6bbe4b697b092339a860ba260434dd15a068
SHA256: C5D7A9603A599FC1BCEF38635DE69C65F9AF7CBF94AFF2BE2992B15E8EC9D8F1
File Size: 2.71 MB, 2712064 bytes
Show More
MD5: 49772fefa113808e3dd3d550be982a03
SHA1: df7fe8ff781742da27733def432ac60c35c2c3ca
SHA256: 8FE5AF561E59A6993806ED611F7F799A5C02DA5024BA200218B47E35BFB496B1
File Size: 217.09 KB, 217088 bytes
MD5: 923f3aa966f7612e7c4e639f444bad51
SHA1: 28b7511d8572ac95c6c1e92caeb8da89f0339948
SHA256: 83D4DEB9E2DC17615FC3AAE6BBB81394A9E3BA3346B9ED308AC3AFB8DB43C891
File Size: 31.74 KB, 31744 bytes
MD5: 4b0b93e82b81a26ab367db55f1f96496
SHA1: 32a0f47279e456fa62ea6249be2691d8a260c102
SHA256: 191D9221E59B93A2EC412233F00367426F6528FB05ECD2C64443827107D9C223
File Size: 947.71 KB, 947712 bytes
MD5: 5b24ffe9891bd31f022525350438cfa0
SHA1: ce06197131ce31f0f6f6b0990db362432d209a95
SHA256: D4FF172712DF0F70B3976E98931923133856B59026A8FE0A44CCFA35E33ECDF6
File Size: 3.93 MB, 3928654 bytes
MD5: aeade1c7acd8ddbb5ade5e0a89192430
SHA1: fb0b1d1e108f4a17b8a6c0ceb958a64ed4bfac6c
SHA256: 3504CB8ED20058EEF5C073D6C752E0D31A016F589F010AF493588E3264C58289
File Size: 6.12 MB, 6122496 bytes
MD5: 47a0d41221e785f2d9f06b73ca0d8293
SHA1: b1dce2e36f644f4ade124e91d62e56b4bfd93b16
SHA256: CCA0C2741103E90D2BC092894FAA1E444EF10C53CE4C65C7DAA678111E0B0462
File Size: 4.44 MB, 4437504 bytes
MD5: 931b3268567d712d11a0c63dacf64713
SHA1: 4fc2ff9b2c6785eb1d427750b4e293b0f72e167f
SHA256: E35396118B8BA32037C35A4B90AC5EA761D7C323E23C6ADD1BC1A0061F57D012
File Size: 414.72 KB, 414720 bytes
MD5: 169b121d12c0dc140cabb75b85fb7cf9
SHA1: 4fe77ad5f9eab741096acaaaae429faf65be8d62
SHA256: 20AA75FFBC567D8E530652E75097B7E2D8664998D605C8DA5C37D75EB9A47DC8
File Size: 964.61 KB, 964608 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have resources
  • File doesn't have security information
  • File has been packed
  • File has exports table
  • File has TLS information
  • File is 64-bit executable
Show More
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Traits

  • big overlay
  • dll
  • fptable
  • HighEntropy
  • No Version Info
  • ntdll
  • packed
  • VirtualQueryEx
  • WriteProcessMemory
  • x64

Block Information

Total Blocks: 402
Potentially Malicious Blocks: 47
Whitelisted Blocks: 294
Unknown Blocks: 61

Visual Map

0 0 ? 0 0 ? 0 ? 0 x x 0 ? x ? 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 ? ? 0 ? ? x ? 0 0 0 0 ? 0 ? ? 0 0 0 0 ? 0 x 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 0 0 ? 0 0 ? ? ? 0 ? 0 0 ? x 0 0 0 0 0 0 0 0 0 x ? x 0 0 0 x 0 x ? ? ? 0 0 0 0 0 x x 0 0 x ? x x x 0 0 0 0 0 0 0 ? ? ? 0 0 x 0 0 0 0 0 ? x 0 ? ? ? ? 0 0 x x x x x 0 0 0 0 ? 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 2 0 0 2 0 0 0 0 0 0 0 1 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 x x 0 ? ? ? 0 ? x 0 0 0 0 ? ? ? x ? ? 0 0 0 x 0 0 0 ? 0 0 0 0 x x 0 ? x 0 0 0 x 0 0 0 0 0 0 0 0 x ? x 0 0 x ? x 0 0 0 0 x 0 x x 0 0 0 x x x 0 0 0 0 ? ? 0 x x x 0 x 0 0 0 0 0 0 2 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.PS
  • Agent.XSDA
  • Agent.XSKA
  • Downloader.FSB
  • Gamehack.LCV
Show More
  • KillWin.H
  • KillWin.I
  • Kryptik.GSF
  • Trojan.Agent.Gen.AKZ
  • Trojan.Kryptik.Gen.CVL
  • Trojan.Kryptik.Gen.JB

Files Modified

File Attributes
\device\namedpipe\dav rpc service Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\memesense\fonts\esp-icons.ttf Generic Write,Read Attributes
c:\memesense\fonts\gui-icons.ttf Generic Write,Read Attributes
c:\memesense\fonts\pixel7.ttf Generic Write,Read Attributes
c:\memesense\fonts\verdana.ttf Generic Write,Read Attributes
c:\memesense\images\avatar.jpg Generic Write,Read Attributes
c:\memesense\localizations\cs2-english.bin Generic Write,Read Attributes
c:\memesense\localizations\cs2-schinese.bin Generic Write,Read Attributes
c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_16.db Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_256.db Generic Read,Write Data,Write Attributes,Write extended,Append data
Show More
c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_idx.db Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.0.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots  RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots  RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots  RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1\0::1 Z1摁穨桤杮B 뻯.Adhzdhng RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1\0::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1\0\1::0 \1坛㰨佄啃䕍ㅾD 뻯啫嬯夸匹.❞ 샒documents RegNtPreCreateKey
Show More
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1\0\1::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots ȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1\0\1\0::nodeslot „ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1\0\1\0::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bags\132\shell::sniffedfoldertype Documents RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots ȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots ȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots ȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::mrulistex ￿￿ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.200.31.10#amas::_labelfromdesktopini RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 㭢積娠ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAccessCheckByType
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAllocateUuids
  • ntdll.dll!NtAlpcAcceptConnectPort
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePort
  • ntdll.dll!NtAlpcCreatePortSection
Show More
  • ntdll.dll!NtAlpcCreateSectionView
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeleteValueKey
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFindAtom
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetNlsSectionPtr
  • ntdll.dll!NtImpersonateAnonymousToken
  • ntdll.dll!NtLockFile
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeDirectoryFileEx
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryDirectoryFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryEvent
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryTimerResolution
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtQueryWnfStateNameInformation
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent

216 additional items are not displayed above.

Process Manipulation Evasion
  • NtUnmapViewOfSection
Other Suspicious
  • AdjustTokenPrivileges

Related Posts

Trending

Most Viewed

Loading...