Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

JHGFDFG.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	4.828586347753447
Filename:	JHGFDFG.exe
Filesize:	343552
MD5:	c53a3df894a8a6460f1fbffa80b5a8f7
SHA1:	3237b7ef9e4772cf3d0bba4353c601e03a02e830
SHA256:	2549a53e3dfb35c7c62a864a4cb7443861301caa458f4653e43ac6ff6ae153c2
SHA512:	b2682e0e5854f745359dcad21f3d903e7a0d204d544271fcd4300c97d99b9ace9d93adac3285a70ab3c5896228955804b9f4bade702c5d4058736ab132b2cab1
SSDEEP:	6144:/fDuSxhHV/AG4tZTjABMgcn5/lX82O3Fu5JARlWnz:/ruqh1/AG4jTjvgc5dX82O1u5J2lWnz
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`............"...0..*..........rI... ...`....@.. ....................................`................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection	Process Injection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Process Injection Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Yara signature match	System Summary	Process Injection
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Process Injection Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Process Injection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a debug data directory	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JHGFDFG.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JHGFDFG.exe.log
Category:	dropped
Dump:	JHGFDFG.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\JHGFDFG.exe
Type:	CSV text
Entropy:	5.360398796477698
Encrypted:	false
Ssdeep:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
Size:	226
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\JHGFDFG.exe

"C:\Users\user\Desktop\JHGFDFG.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5512
Target ID:	0
Parent PID:	1028
Name:	JHGFDFG.exe
Path:	C:\Users\user\Desktop\JHGFDFG.exe
Commandline:	"C:\Users\user\Desktop\JHGFDFG.exe"
Size:	343552
MD5:	C53A3DF894A8A6460F1FBFFA80B5A8F7
Time:	00:31:56
Date:	16/01/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x830000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected MassLogger RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	4480
Target ID:	1
Parent PID:	5512
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	00:31:56
Date:	16/01/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xf00000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected MassLogger RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://checkip.dyndns.org/

193.122.6.168

https://reallyfreegeoip.org/xml/8.46.123.189

104.21.48.1

https://reallyfreegeoip.org/xml/8.46.123.189l

unknown

http://checkip.dyndns.comd

unknown

http://checkip.dyndns.org/q

unknown

http://reallyfreegeoip.orgd

unknown

https://reallyfreegeoip.org/xml/8.46.123.189d

unknown

http://reallyfreegeoip.org

unknown

http://checkip.dyndns.orgd

unknown

https://reallyfreegeoip.org

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.com

unknown

http://checkip.dyndns.org/d

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://api.telegram.org/bot-/sendDocument?chat_id=

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 6 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

104.21.48.1

Details

Name:	reallyfreegeoip.org
IP:	104.21.48.1
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

193.122.6.168

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

104.21.48.1

reallyfreegeoip.org

United States

Details

IP:	104.21.48.1
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

193.122.6.168

checkip.dyndns.com

United States

Details

IP:	193.122.6.168
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	United States
Countrycode:	USA
ASN number:	31898
ASN name:	ORACLE-BMC-31898US
Private:	false
Domain:	checkip.dyndns.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

3BF5000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

3411000

trusted library allocation

page read and write

9EE000

stack

page read and write

F7D000

trusted library allocation

page execute and read and write

3456000

trusted library allocation

page read and write

5E50000

trusted library allocation

page execute and read and write

5E10000

trusted library allocation

page execute and read and write

6AC0000

heap

page read and write

6810000

trusted library allocation

page read and write

15D0000

heap

page read and write

2BEE000

stack

page read and write

5E0E000

stack

page read and write

662C000

heap

page read and write

F4E000

stack

page read and write

3396000

trusted library allocation

page read and write

5E20000

trusted library allocation

page read and write

FE0000

heap

page read and write

1025000

heap

page read and write

33D9000

trusted library allocation

page read and write

1535000

trusted library allocation

page execute and read and write

5890000

trusted library allocation

page read and write

57AD000

stack

page read and write

183E000

trusted library allocation

page read and write

33AE000

trusted library allocation

page read and write

15B0000

trusted library allocation

page execute and read and write

1664000

heap

page read and write

4369000

trusted library allocation

page read and write

6A60000

heap

page read and write

340C000

trusted library allocation

page read and write

339E000

trusted library allocation

page read and write

184E000

trusted library allocation

page read and write

F84000

trusted library allocation

page read and write

F60000

trusted library allocation

page read and write

2990000

trusted library allocation

page read and write

332E000

stack

page read and write

183B000

trusted library allocation

page read and write

3331000

trusted library allocation

page read and write

15AE000

stack

page read and write

1522000

trusted library allocation

page read and write

1870000

trusted library allocation

page read and write

FAB000

trusted library allocation

page execute and read and write

344F000

trusted library allocation

page read and write

5870000

trusted library allocation

page read and write

5DCE000

stack

page read and write

185D000

trusted library allocation

page read and write

1537000

trusted library allocation

page execute and read and write

400000

remote allocation

page execute and read and write

660E000

stack

page read and write

2980000

trusted library allocation

page execute and read and write

FC0000

heap

page read and write

163B000

heap

page read and write

589B000

trusted library allocation

page read and write

189C000

trusted library allocation

page read and write

1851000

trusted library allocation

page read and write

1836000

trusted library allocation

page read and write

12F7000

stack

page read and write

6820000

trusted library allocation

page read and write

16C2000

heap

page read and write

980000

heap

page read and write

5E40000

trusted library allocation

page execute and read and write

18B0000

heap

page read and write

5880000

heap

page execute and read and write

5E3A000

trusted library allocation

page read and write

6610000

heap

page read and write

9A0000

heap

page read and write

2AE0000

heap

page read and write

57EE000

stack

page read and write

58A3000

heap

page read and write

F74000

trusted library allocation

page read and write

E45000

heap

page read and write

832000

unkown

page readonly

15C0000

trusted library allocation

page read and write

1014000

heap

page read and write

1862000

trusted library allocation

page read and write

5B8E000

stack

page read and write

1510000

trusted library allocation

page read and write

153B000

trusted library allocation

page execute and read and write

3449000

trusted library allocation

page read and write

1310000

heap

page read and write

1022000

heap

page read and write

582E000

stack

page read and write

542E000

stack

page read and write

342A000

trusted library allocation

page read and write

1530000

trusted library allocation

page read and write

F73000

trusted library allocation

page execute and read and write

58A0000

heap

page read and write

CF9000

stack

page read and write

3433000

trusted library allocation

page read and write

29A0000

heap

page execute and read and write

6950000

heap

page read and write

33EA000

trusted library allocation

page read and write

344B000

trusted library allocation

page read and write

14A0000

heap

page read and write

5E36000

trusted library allocation

page read and write

F80000

trusted library allocation

page read and write

1620000

trusted library allocation

page read and write

33CD000

trusted library allocation

page read and write

5C8E000

stack

page read and write

1560000

heap

page read and write

2ACD000

stack

page read and write

FE8000

heap

page read and write

13F0000

heap

page read and write

33E6000

trusted library allocation

page read and write

150D000

trusted library allocation

page execute and read and write

876000

unkown

page readonly

152A000

trusted library allocation

page execute and read and write

43A1000

trusted library allocation

page read and write

3393000

trusted library allocation

page read and write

3486000

trusted library allocation

page read and write

3420000

trusted library allocation

page read and write

5060000

heap

page execute and read and write

1526000

trusted library allocation

page execute and read and write

14D0000

heap

page read and write

16BE000

heap

page read and write

3443000

trusted library allocation

page read and write

1504000

trusted library allocation

page read and write

1890000

trusted library allocation

page read and write

680E000

stack

page read and write

91C000

stack

page read and write

339B000

trusted library allocation

page read and write

1503000

trusted library allocation

page execute and read and write

33EE000

trusted library allocation

page read and write

33B0000

trusted library allocation

page read and write

11DE000

stack

page read and write

FA9000

stack

page read and write

E10000

heap

page read and write

342F000

trusted library allocation

page read and write

3220000

heap

page execute and read and write

1899000

trusted library allocation

page read and write

990000

heap

page read and write

1550000

trusted library allocation

page read and write

E40000

heap

page read and write

5D8F000

stack

page read and write

1500000

trusted library allocation

page read and write

2BF1000

trusted library allocation

page read and write

4331000

trusted library allocation

page read and write

435D000

trusted library allocation

page read and write

29EE000

stack

page read and write

1856000

trusted library allocation

page read and write

6840000

trusted library allocation

page read and write

3BF1000

trusted library allocation

page read and write

161E000

stack

page read and write

1532000

trusted library allocation

page read and write

14D5000

heap

page read and write

FEE000

heap

page read and write

4CED000

stack

page read and write

151D000

trusted library allocation

page execute and read and write

14F0000

trusted library allocation

page read and write

1520000

trusted library allocation

page read and write

3417000

trusted library allocation

page read and write

FA7000

trusted library allocation

page execute and read and write

6652000

heap

page read and write

4354000

trusted library allocation

page read and write

5E34000

trusted library allocation

page read and write

1007000

heap

page read and write

830000

unkown

page readonly

184A000

trusted library allocation

page read and write

1830000

trusted library allocation

page read and write

100B000

heap

page read and write

E0E000

stack

page read and write

6830000

trusted library allocation

page execute and read and write

1630000

heap

page read and write

1677000

heap

page read and write

There are 154 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
JHGFDFG.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportJHGFDFG.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
JHGFDFG.exe