PUP.MSIL.Bulz.PN
Table of Contents
Analysis Report
General information
| Family Name: | PUP.MSIL.Bulz.PN |
|---|---|
| Signature status: | Modified signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
fd56c072a9bfb4d57914d43ed66a59ca
SHA1:
c3a4cf5e98de26b88b7452c55d6f238f7eccdc3b
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
21e34ecb232153fc48f7f602e99fd717
SHA1:
0e01aa90b20d29e67581e2a52c985f5f4bc59f52
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
0d5cee4c0f8bfe055aca2a6644369a41
SHA1:
1fbfb7b16ef8cbcbe133c22d62f08b11969bb57e
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
1649001192703aada73362d81d4817e3
SHA1:
a1bdee7187884bef0e7902f21c569bdf60f93b77
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
4e2c219a7cc081afcc3171d8b8c89ec8
SHA1:
9d89e75a914174395fc5ebf9a459c01fef36a013
SHA256:
32AAD97E8FC819304847A023B025616B9F96A6BDF12EB95B1CD4CC6E7972B4C1
File Size:
1.84 MB, 1836768 bytes
|
Show More
|
MD5:
4e08e7bc76c75351f980f652a0a17379
SHA1:
73303eb89be5c219fb60a8cdbe2941da96b510ca
SHA256:
A819C3F468E64609D7A65CBC52859E1959FF5421EF80EA57E2864CB568831EAB
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
b59cca4f5460820ecace686f1610e15a
SHA1:
ada88267699c6d291fc3d00d38ace80e5375abc9
SHA256:
AB699F9C49A3011D23A28ECB9FE76296E0C1C8979982334F4A8B0F65AC50B28A
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
ad875d5fb8938662e09c50f28a7dfe80
SHA1:
c243eb07d177fdbca79888cdcc53753e22c178f4
SHA256:
9ADF478819BAD884AFFC15219187FF9F744D275AC75384E16BD774E9A0E2AFDD
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
75440ed2ef1685068f3177aa4bd1def2
SHA1:
6cbca2162821054a473cca69a327c05ff7f18ba0
SHA256:
4246868987A0501F20B0A7BCEE5B4EB7D675C599C906CC73888977AB2BF32E48
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
90c09fc1143c9765298aae88285ebebe
SHA1:
4761eb99589d393d2ac50f334ffa5f5398797956
SHA256:
C9C8FB88550BC84331F26EC6473F00A0B9628862F430AAFD3E3E8313C53D8A91
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
2648de7e670bc1116b0e3e686ef7be84
SHA1:
7b87518623dd296ee21000585d56494a43488f2d
SHA256:
900B9F87AA5B84DB74CDF18926D7B9E63FDC8F087BEE26015B5FDCC321DAEB54
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
10a78bcbb3bef90d542f3ec9558af219
SHA1:
0a80f9604bcfe2ee2cef3758536acd7fdb02d9e0
SHA256:
EEE36B513BDFC4FF9E18B6FC923C53B9E4FF47394F9786503C265FE3B745CF33
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
8472b2f567187d013a7d8f76413682fd
SHA1:
a0d422381d223a7cf16b6398f037a68e9c158961
SHA256:
6AB491293E635DC8A979152943DD3761A3347B18D771A2C8435000B930BDAA52
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
48014093509b5e9151bf2878999fefc1
SHA1:
e9f9d18ed2b2a039677ba0f1959b5e1c1d0718a7
SHA256:
FE094929BCCA9C1AA18732AD5723BAA84D986A1B3362E0757B33A5919FA3980F
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
5a3de6b8c26fff3c317a68885963276e
SHA1:
cce112585ca9603856113b934e1cbedb98c34cf0
SHA256:
21628CFBFE7BE9DF55F0B6DE8A7D5394CA29B3A6411032B78645B3C4A979D6D1
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
8d7e692d56557a5f613ad0cd092e5f39
SHA1:
915ebbed46971a158634d2e671ee457f23b03004
SHA256:
689EE2042DD06AF1F88DF869254336CEE87CDF9917681FB77260F575551E0F06
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
58c4bf7bcd038ac2cbec5abe8c3af507
SHA1:
fa3c36d1d9b7c8f59d4a41237f5067ebf984526d
SHA256:
8663153AE594978EBD0CBDD4DFEA9BA593846097D1ACFB6A76FC17B8C59EDB27
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
578b467d4df2ca0584916956dd3f8c7d
SHA1:
35cd72e1802ffdfa6d5f2237f61a68730347e2a4
SHA256:
17A459D6B8BEC17A0615091F6087E690BB61B1EB6797B76F6D3E64A1F617D3AE
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
618601c6d466fdbcc4c78c760ae88d02
SHA1:
33df4f9c0265fe527e8567d50bb9cdb95804d9ac
SHA256:
9E7DDE8E2460043D91F88F9CE27D470D42C426472FEED6B3DBF2ACDC1E4E1311
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
d8e511c40080168b1503f2ccea6a285b
SHA1:
3c54824f9625541086e9097eeb806ea136cfe3e1
SHA256:
07F7147702A68169EB94161D5644D036CBADECD492C53ED994083F18CED0B1A3
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
123962f14dabe85415ce7864ccc97216
SHA1:
690275fee295e95e758bd42a173a16e304e72885
SHA256:
355DEF3616D2C7AFC863CCCA1FDA74C051CC3B30CF0F94DD3DADF86F5A621AA7
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
3ee117696f0caa90ccd8c2e0700a3923
SHA1:
b9ef600752825cc7f84dc21ee1a933579fb6cf34
SHA256:
BE022471070057A65A3D37B2BDE964705C2A20DF7D6C9D720F33B4208AC02C0D
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
2eb41bbc2edf15a3b05320fa987ae4de
SHA1:
81a7d2852b7312ad02572834bdbaa0f6c224b520
SHA256:
B3D0AC0943C8024E4752225271055590AEE769FA10F27F5FCB93CE7D8E0A1F6D
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
61196915b8fd6c76d3223e6db00a86f1
SHA1:
8b36ef906b57808b2c3684912ce0e37c74896e99
SHA256:
045BBC62A27D208C4A72EB2EA72FCA00A13785C6F43B6693F80091D8D08F6682
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
07c963de98bac66ff04326b86fad4f00
SHA1:
744ccc359aa53e224aa1de934cddf4d0fd0b25b1
SHA256:
D41E4CF3B83DD0BC6297B88DAEB3052A6F524CE879AEFF4030E165FE529F3B5A
File Size:
1.84 MB, 1836768 bytes
|
|
MD5:
c76a0c150adba2b84c58efe9b062f4b8
SHA1:
be92b0a6254c53dfd98c47edc34f29c591624c8d
SHA256:
6DF2CC2BC557637E1547DE698B0F8DD336E38FC06909E13DFE78AA97E04F83AD
File Size:
1.84 MB, 1836768 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File has exports table
- File has TLS information
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name |
|
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| Original Filename |
|
| Product Name |
|
| Product Version |
|
File Traits
- Installer Version
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 3,926 |
|---|---|
| Potentially Malicious Blocks: | 362 |
| Whitelisted Blocks: | 3,453 |
| Unknown Blocks: | 111 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
?
?
0
?
0
?
?
?
?
0
0
0
0
?
?
?
0
0
?
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
?
0
?
0
0
0
0
0
0
0
0
0
0
?
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
?
?
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
0
0
0
0
0
0
0
0
?
0
0
0
?
?
?
?
0
0
?
0
0
0
0
0
0
?
0
0
?
0
0
0
0
0
0
0
0
?
?
?
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
?
?
?
?
?
?
?
0
?
?
0
?
0
0
?
?
?
0
0
?
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
?
?
?
0
?
0
0
0
0
0
0
0
0
1
0
0
0
x
0
?
?
?
0
?
0
0
0
0
0
?
0
?
?
?
?
?
0
0
0
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
?
0
0
0
?
?
0
0
?
?
?
0
?
?
?
0
?
?
?
?
?
0
?
x
0
0
0
0
0
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
0
0
0
0
x
x
0
?
0
0
?
0
0
0
0
0
0
0
0
0
0
0
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
x
0
0
0
0
x
0
0
0
0
0
0
0
x
0
0
x
x
x
x
x
x
x
x
x
0
0
0
0
x
0
0
x
x
x
0
x
x
x
0
x
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
0
x
0
0
0
0
0
0
0
x
0
0
0
x
x
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
x
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
x
0
x
0
0
0
0
0
0
0
x
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
x
x
x
x
0
x
x
0
x
0
x
0
x
x
x
0
0
x
x
x
x
0
x
0
0
x
x
x
0
x
0
0
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
0
x
0
0
0
0
x
x
x
0
x
0
x
x
0
0
0
x
x
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
0
0
0
x
x
x
x
x
0
x
x
0
x
x
x
x
x
x
x
x
x
x
x
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
x
x
x
x
x
0
x
0
x
0
x
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
x
x
0
x
x
0
0
x
x
x
x
0
x
x
x
x
x
x
x
0
x
0
x
0
0
0
0
0
x
x
x
0
x
x
x
0
x
x
x
x
x
0
x
0
x
0
x
x
x
x
0
x
x
x
x
0
x
0
x
x
x
0
x
0
0
x
x
0
x
x
x
0
x
x
x
x
x
x
x
x
x
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
0
x
0
x
0
x
0
0
x
0
x
0
0
x
0
0
0
0
0
0
x
0
0
x
0
0
0
0
0
x
x
0
0
0
0
0
0
x
0
0
0
x
0
0
0
x
0
0
x
x
0
0
0
0
x
x
x
x
x
x
x
0
0
x
0
0
0
0
x
x
0
0
0
x
x
x
0
x
x
x
0
x
0
x
x
x
x
x
0
x
x
x
x
x
0
x
x
x
0
x
x
0
x
x
x
x
x
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
x
0
x
x
x
0
x
x
0
0
0
0
0
0
0
x
0
0
0
0
x
0
0
0
0
0
x
x
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- MSIL.Bulz.PN
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\programdata\yandex\yandex.disk.2\{3fe0ef39-1462-4094-9a42-43b4ee3c383b}\yandexdisk30setup_x64.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\yandex\yandex.disk.2\events_setup.dat | Generic Write,Read Attributes |
| c:\users\user\appdata\local\yandex\yandex.disk.2\events_setup.dat.lock | Generic Write,Read Attributes |
| c:\users\user\appdata\local\yandex\yandex.disk.2\yandexdisksetup.log | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\roaming\yandex\ui | Generic Write,Read Attributes |
| c:\users\user\appdata\roaming\yandex\ui_yd2 | Generic Write,Read Attributes |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey |
Show More
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Anti Debug |
|
| User Data Access |
|
| Network Winhttp |
|
| Encryption Used |
|
