Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

2Dhg4Ngjrv.exe

PE32+ executable (GUI) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	6.061123988631966
Filename:	2Dhg4Ngjrv.exe
Filesize:	2481152
MD5:	b93d29868056c5d30ef7e86723881967
SHA1:	622ddfe987c378a944873f488ec7d55b538c3d41
SHA256:	f3e67d4aaf127901c941d470cc8afa3c85e9106aa482ff07c8d7d0580cb087bd
SHA512:	40d137a65fc6b99cbf1f434ba96007954ecbdeca31e2fd25fb09ae7db3fddce3000a4ae5cd7b77449f46131d0f2e1454e6c24a5d9ec93ab069433076132a4074
SSDEEP:	24576:VYNyMBJYC0kGy0RHcbnruBh3C/YPsql16IWOOM9WqTa17o2br7BHLSZ:V+rLp0aWHYavoQsi1xWPMXa5/37B
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y5.[.[.[.[.[.[..`X.V.[..`^...[.R`..Y.[..d_.I.[..d^.<.[..dX.W.[..`_.L.[..`Z.F.[.[.Z...[.[.[.].[..e^...[..eY.Z.[.Rich[.[........

Signature Hits	Behavior Group	Mitre Attack
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
PE file contains sections with non-standard names	Data Obfuscation
Potential time zone aware malware	Malware Analysis System Evasion
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Sample might require command line arguments	System Summary	Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

\Device\Null

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\Null
Category:	dropped
Dump:	Null.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\2Dhg4Ngjrv.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.160973988182377
Encrypted:	false
Ssdeep:	6:ha3cmaYD1n/3bL8mWpV3Ly0Oa39V5nkk5KpRye:hO71PvQ5LWQSpRV
Size:	257
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\2Dhg4Ngjrv.exe

"C:\Users\user\Desktop\2Dhg4Ngjrv.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6688
Target ID:	0
Parent PID:	4004
Name:	2Dhg4Ngjrv.exe
Path:	C:\Users\user\Desktop\2Dhg4Ngjrv.exe
Commandline:	"C:\Users\user\Desktop\2Dhg4Ngjrv.exe"
Size:	2481152
MD5:	B93D29868056C5D30EF7E86723881967
Time:	16:52:24
Date:	23/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff61fa00000
Modulesize:	2514944
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
PE file contains sections with non-standard names	Data Obfuscation
PE file has an executable .text section and no other executable section	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

https://neutralino.js.org

unknown

https://neutralino.js.orgbad

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

24BCA9C3000

heap

page read and write

24BC76D7000

heap

page read and write

24BC7650000

heap

page read and write

24BC76D8000

heap

page read and write

7FF61FA01000

unkown

page execute read

7FF61FC3A000

unkown

page readonly

24BC9080000

heap

page read and write

24BC76F4000

heap

page read and write

24BC908B000

heap

page read and write

7FF61FA01000

unkown

page execute read

24BC76DE000

heap

page read and write

24BC76C6000

heap

page read and write

24BC76EB000

heap

page read and write

24BC76E8000

heap

page read and write

7523DF9000

stack

page read and write

24BC9085000

heap

page read and write

24BC76CB000

heap

page read and write

24BC9090000

heap

page read and write

24BC76C7000

heap

page read and write

7FF61FC3A000

unkown

page readonly

24BC76CD000

heap

page read and write

24BC76E2000

heap

page read and write

24BC76AC000

heap

page read and write

24BC7711000

heap

page read and write

24BC7710000

heap

page read and write

24BC7620000

heap

page read and write

24BC76F9000

heap

page read and write

75240FE000

stack

page read and write

24BC76E2000

heap

page read and write

24BC7610000

heap

page read and write

7FF61FC35000

unkown

page read and write

24BC76A0000

heap

page read and write

7FF61FA00000

unkown

page readonly

75244FF000

stack

page read and write

7FF61FBD1000

unkown

page readonly

7FF61FC29000

unkown

page read and write

24BC76DE000

heap

page read and write

24BC9120000

heap

page read and write

24BC76CC000

heap

page read and write

24BC76EB000

heap

page read and write

24BCC1C0000

trusted library allocation

page read and write

75241FE000

stack

page read and write

24BCA9C0000

heap

page read and write

24BC76EB000

heap

page read and write

24BC76E2000

heap

page read and write

24BC76DE000

heap

page read and write

24BC76EB000

heap

page read and write

24BC76E2000

heap

page read and write

7FF61FA00000

unkown

page readonly

7FF61FBD1000

unkown

page readonly

7FF61FC2B000

unkown

page write copy

75242FA000

stack

page read and write

24BC76EB000

heap

page read and write

24BC76DE000

heap

page read and write

24BC76EC000

heap

page read and write

24BC76CA000

heap

page read and write

7FF61FC29000

unkown

page write copy

24BC76DF000

heap

page read and write

75243FF000

stack

page read and write

24BC9050000

heap

page read and write

There are 50 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
2Dhg4Ngjrv

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report2Dhg4Ngjrv

Files

Processes

URLs

Memdumps

IOC Report
2Dhg4Ngjrv