Trojan.Ulise.CA
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 901 |
| Threat Level: | 80 % (High) |
| Infected Computers: | 1,994 |
| First Seen: | March 4, 2022 |
| Last Seen: | April 13, 2026 |
| OS(es) Affected: | Windows |
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Ulise.CA |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
043c512687c46b79d102a4f158a087a6
SHA1:
b4bb1d91bce9fcbee5d4dde35f872cc180125db4
File Size:
1.09 MB, 1089892 bytes
|
|
MD5:
8c7e2fcefaa7f452b9718a465ad6cb89
SHA1:
7edf398c1b7eb86361ff204dbfc02730e01bfa43
File Size:
7.99 MB, 7988224 bytes
|
|
MD5:
86831b172b6da6c603fe51550491af38
SHA1:
ed02bf47c72bfaa81b88806cd0d22c64d215f18b
SHA256:
B4A309F6D3B695A83B8FA25D8AF1A8D6E56617D5EE45FE58D7CE3E9F59C4A708
File Size:
4.69 MB, 4688896 bytes
|
|
MD5:
b89a9a5ac78e6eea2ecf5c306fca1b39
SHA1:
02822ee56c82eb27ae64a23a16e07b1501bae567
SHA256:
EA96A73C17ECF7E67422F1A78F22886579FEF9396BF658756EBFE5CBA3BDFA44
File Size:
7.13 MB, 7131858 bytes
|
|
MD5:
10bbd5cfbd03eb684275f9db8f8151e4
SHA1:
768cf785942a3681538168f2dc23588aa82bf231
SHA256:
A7A4E00D5A891C1E4AB15675EC53ABE2A65C28385D3E76D89F0D1FC2BA1AAD44
File Size:
1.09 MB, 1085796 bytes
|
Show More
|
MD5:
d0328f0ccdc8bf4e1077256c09a07a4c
SHA1:
c461fc0059ba2b7324ce2c9eb2f5fb99ccedfbb4
SHA256:
E5EFDD8466EDDE626B4BE6B2539C2609EB4A44AF1FADF24921A0E5E8BA3CD161
File Size:
6.47 MB, 6474752 bytes
|
|
MD5:
3bc203bdb7495b7e1b0e67278147b0e3
SHA1:
d4ab73eb22276d4598a1acad1ae19d4055aeab20
SHA256:
69536107151F1AA8E1F4941F43D4FF69C7F9B7ABA17A0899CAED286AF283FB62
File Size:
6.81 MB, 6810112 bytes
|
|
MD5:
3f9d53ccaeafabfae256de8657a0f456
SHA1:
6658de363e6a3fef6ceca7cf08ebc6bfb25f24d0
SHA256:
7E06F03F8D47B752265DA3846C4806BC1FF7159E0E39C5DB34774DAF5DA91003
File Size:
880.13 KB, 880128 bytes
|
|
MD5:
0538194ce8b5d9ec4c3fefd066c4fb41
SHA1:
e3bdd14a25f19f2b2217016b3f87509a38f35bb4
SHA256:
AD3BB1CA37F52481E1D7F06938041F853CAA9FA0AADDC6BD38A063C247193134
File Size:
7.13 MB, 7125156 bytes
|
|
MD5:
5d09416ae2a9c579e91607c23630f8a1
SHA1:
382e00bfea209fb3fae3874a283b2945443bf6ac
SHA256:
09577FA8391A1084D2AD8EA7149D76ACB549D364D669E125C9854FBDD38F414D
File Size:
1.09 MB, 1089892 bytes
|
|
MD5:
ba2c8a2c6694a1b91c68a4f7764cbfb0
SHA1:
0a0a5d6e02786ea1211bc78938885f11674d380c
SHA256:
57E0470689F396F6F22D76C302912564108C2EA2269A2973866443ACCB146739
File Size:
4.24 MB, 4239125 bytes
|
|
MD5:
a66ee33c2d49351766b0ee7bfefeef71
SHA1:
99042539b94ac1c0bea54f68304cae561bd61ffb
SHA256:
5CEB2A81BC43FCB374C5F15489DF8CBB7D357D1A3F58DF233DB6689BBE5AB297
File Size:
4.88 MB, 4883640 bytes
|
|
MD5:
d7011d9b20bbc8638e44b723a6b434f7
SHA1:
f99148c58ad60d8c35ee78bb01238cf13b0c6f8a
SHA256:
245A0D883B5EFC79CD9EEEBD9DC897DBA8F022555FFE8AE9C1856A75E11A48CA
File Size:
6.39 MB, 6394688 bytes
|
|
MD5:
1c7f336e4f0eac6d9cac4a21740677e5
SHA1:
a922463da1eef5fe1a5a8f32ba3a64cbd9833ee3
SHA256:
2BD1DBFEE8C7F0C2A8C128EED63416B491DA2C3FCC79244BB2DE7ECE081CCF63
File Size:
1.95 MB, 1946112 bytes
|
|
MD5:
614870500f475c81268aebaf5e61fea0
SHA1:
088647438c3a79fe7ec458bccb0fe47b27201c75
SHA256:
74070DD9C86D82D91D7A04A32D48B3FDDECD785BB500D031A7924FA61C5455EA
File Size:
1.01 MB, 1005056 bytes
|
|
MD5:
a1eec09d3dff54208243bc2e264a6d17
SHA1:
0d5ccf430b0dda4f6cf2552be637464a52f0c9e8
SHA256:
4770B71EF1AC14C9E499BA6A78B8E47AAA2E89783B34F4234A1DE93BB04BD7AA
File Size:
1.14 MB, 1141902 bytes
|
|
MD5:
74f8bc3f6f40974b554def7fd196c954
SHA1:
bbe840e286d6f24bde7c42e5a75b0f9047671fa5
SHA256:
C0D1B0B5E8F900EFAB78ACFAFD0A62DC813515F246F8ED00EABB6C38226E8420
File Size:
2.53 MB, 2531176 bytes
|
|
MD5:
752001f82652d76b174f9af2fc4b8a77
SHA1:
076ff45cdc0a37a86f4fa3721e9bb4e502287294
SHA256:
0D2338B748EE3A47B563135DA781299346803CF9BEAE99BFA66C2AB8C3CD04F6
File Size:
1.00 MB, 1003520 bytes
|
|
MD5:
b0d1143f2190e8703c3de39e2f614151
SHA1:
c4f2a9790c820969ec2863356520c0d1496de6ab
SHA256:
94511AF8E4916DE31DA997035FF494F5A7820EDF91CC9D038B519A478B70825A
File Size:
6.89 MB, 6888960 bytes
|
|
MD5:
7f23f06b2814f0473f7d4c5af10a0cd9
SHA1:
e701e6618e8331896ac54154649631d2269d93f7
SHA256:
E00C566F3FF323FCA24587E1A0F2B540D22776C7B3FA8CF3F1B954F1C3E73BD4
File Size:
905.22 KB, 905216 bytes
|
|
MD5:
f021b0ff5e047a66605ee8e88f1b0e97
SHA1:
9d69624f7158d61fa69176f15f24f2272e150529
SHA256:
30EAB03A091E59C4420C92B714098A3DB52EF811625B203CC689265ED9100168
File Size:
250.88 KB, 250880 bytes
|
|
MD5:
6ca958d452a2c21d06cb0bd6b3ac2a56
SHA1:
eff0b37a59f8947c60dc5d161be1ffaff4b05e50
SHA256:
323505EF3A83B7D6A526EC04DF8542ECFE647CE2DD5B2FE57652CCF49E0A4061
File Size:
911.87 KB, 911872 bytes
|
|
MD5:
6d9497419fa3ab6d2cb8e21278f49d9f
SHA1:
aa6b2b9b98c9db8a86b4a2d6d598d4384ad56dff
SHA256:
9A93A24651793E8E30EB6D91B0E4C23C4D7D1489B790E4C13C3B2BA00720B06E
File Size:
1.09 MB, 1085796 bytes
|
|
MD5:
d0208e2aadb09369ac66c9f1527dcf54
SHA1:
0006e9387432736f1c7bf13fffdd64107e7a646b
SHA256:
F343C824C9CB09215EB9D12AAA364F4100DAB3850D603456D0F214274B2B58D8
File Size:
530.43 KB, 530432 bytes
|
|
MD5:
644941d7bc5bef2f9327a8ba987abe27
SHA1:
50d3fb5625990c85637f4a6804299b7f126d9a23
SHA256:
2133197D04D75FDC2FE5C3A2B38816BE28C5AF224696704436CC67E1A0DF7C60
File Size:
9.03 MB, 9029632 bytes
|
|
MD5:
b3f74c9bbedbd6d06534b3da58c2f759
SHA1:
b2f9d152a17e4612f2c56b298d2d85094710737a
SHA256:
6CBA01C0F87AC6D53F8AA9D298752B82B86D8991A895AA5AA97BB2F6F05DF050
File Size:
6.08 MB, 6083275 bytes
|
|
MD5:
1e10d1b55e262dc95111ab37cba94010
SHA1:
0abbee639095dae69759c482ca7304adf08d9445
SHA256:
A1084465135860817C4F89110F9EADDC582D7452D37864B7E1E74E2EC2188738
File Size:
2.78 MB, 2775040 bytes
|
|
MD5:
a7ce50c39ccaa4f725187a4351f37b11
SHA1:
f3ceb303dd781c29616d9ad3ea24f91515a9cd50
SHA256:
E590FCBDF7741201BCD44FE56BC3D423AB814A469DCC7677DB8DF608D90F24B0
File Size:
3.90 MB, 3903502 bytes
|
|
MD5:
acfc04c6397d692194642de3910c4c9c
SHA1:
cd2a5e3a6b352bd952620ac916969bdbf81f72d2
SHA256:
A4382D3D2F77DDD34E9A78E10980D638E0F8A2DA03C3DA31B2533195B717DE83
File Size:
4.69 MB, 4686336 bytes
|
|
MD5:
ad84d0bbaefaf2208fd1affb142e46b1
SHA1:
aa9ef59a46c8260f3f8d81cd77a77b84ec396bed
SHA256:
72C2D4C98BAE4E26F7A21F3C0D7621444021F2E31D0AC34E6399A463E045D86B
File Size:
419.33 KB, 419328 bytes
|
|
MD5:
9c4c88dec009a71c14291d013d6bb0cd
SHA1:
5040b43882248f969e794f1b0cafb82acf7b0b32
SHA256:
73DC4A9B1D8677222DE54BA0935BDAFD40AADF75A1E8F5C49D5A12852A82382D
File Size:
1.09 MB, 1089892 bytes
|
|
MD5:
f88f628113015d256160a9707fe53ddb
SHA1:
b5f525875f50d46f3f6853cbf527164d99b9e2c8
SHA256:
E50201E9DA20A6CC3C3F100D279E02F37F6C9D52A3517B473CF83B166013A5D4
File Size:
3.52 MB, 3520000 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 32-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
Show More
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Show More
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Assembly Version |
|
| Comments |
|
| Company Name |
Show More
|
| File Description |
Show More
|
| File Version |
Show More
|
| Internal Name |
Show More
|
| Legal Copyright |
Show More
|
| Legal Trademarks |
|
| Original Filename |
Show More
|
| Product Name |
Show More
|
| Product Version |
Show More
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| EVGA Corp. | DigiCert EV Code Signing CA (SHA2) | Self Signed |
File Traits
- 2+ executable sections
- Default Version Info
- dll
- Enigma
- HighEntropy
- No Version Info
- ntdll
- WriteProcessMemory
- x86
- Zprotect
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 1,280 |
|---|---|
| Potentially Malicious Blocks: | 181 |
| Whitelisted Blocks: | 1,084 |
| Unknown Blocks: | 15 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
0
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
x
0
0
0
x
x
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
0
0
0
0
0
0
x
x
0
0
0
0
0
x
0
0
0
0
0
0
x
0
0
x
x
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
x
x
0
0
x
x
x
0
x
x
x
0
x
x
0
x
0
0
x
x
0
0
0
x
0
x
0
0
0
0
0
0
0
x
x
0
0
0
x
x
0
0
0
x
0
0
0
0
0
x
0
0
x
0
0
0
0
x
0
0
0
0
x
0
0
0
0
x
0
0
0
0
0
0
0
0
x
x
0
0
0
x
0
x
0
0
0
x
x
x
0
0
x
0
x
?
0
0
0
0
0
x
?
x
x
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
x
x
x
0
0
0
0
0
0
0
0
x
0
0
0
0
x
x
x
0
x
0
0
0
0
0
0
0
x
?
?
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
?
?
0
0
?
0
?
?
?
?
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
0
x
0
x
0
x
0
0
0
0
x
x
x
x
x
x
x
0
x
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Gamehack.AAD
- Kryptik.RAR
- Kryptik.RAU
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\users\user\appdata\local\temp\nsl963b.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsl963b.tmp\modern-wizard.bmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsl963b.tmp\nsdialogs.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsl963b.tmp\system.dll | Generic Write,Read Attributes |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Other Suspicious |
|
| Anti Debug |
|
| User Data Access |
|
| Syscall Use |
Show More
|
| Process Manipulation Evasion |
|
| Process Shell Execute |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\9d69624f7158d61fa69176f15f24f2272e150529_0000250880.,LiQMAxHB
|
