Trojan.Downloader.Gen.HG
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Downloader.Gen.HG |
|---|---|
| Signature status: | Hash Mismatch |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
799261f351ad5509ea5c697dbfd8d7a0
SHA1:
2e2dcf5d0bce72e43c79661305f8123c3e3f21c9
SHA256:
878BEF133F8E872FDE2F30115BA790A1E25C7058579C208604B7701F6F78FB55
File Size:
1.98 MB, 1977928 bytes
|
|
MD5:
c3c5a6c6c2cd76f378c16b4c9c309d1b
SHA1:
af3172cdbc0b470bb2b63be2da1c613bfd607c23
SHA256:
0060EBB74C668FC14787D716E79AFB4E87882ECCA27D8DA3B4A90B3ABF888E1C
File Size:
1.08 MB, 1075712 bytes
|
|
MD5:
d7874429991b974063abbaeb474ca3f5
SHA1:
e24caf8365b08cab863d20a9963f1bfe3a2e5ae0
SHA256:
389A65491900049E9AD1FD0658264ED3B83E7DBE7674660D85F12FEAD5616251
File Size:
1.04 MB, 1037544 bytes
|
|
MD5:
6a27f2cb3554c4c98464e671dda71827
SHA1:
b1c6976d8869ce600b35e804faf51b848c405c82
SHA256:
5E1D117056AF8B79F5ADB765C15A8AEBED36895F9ECF0F04B9059DB99C6057B0
File Size:
661.59 KB, 661592 bytes
|
|
MD5:
b5b947b8cef21c4256ce15f8484f66fb
SHA1:
98126b243ddf240d40e0bca74ff4b017d7418e61
SHA256:
64C7D3F74BDD4A5FF6DE7A4F42796AFF48B6F682E4B1B221F91DB08971DB35B1
File Size:
189.43 KB, 189432 bytes
|
Show More
|
MD5:
bb9ebfe6045577d35ec0d592ec8e262f
SHA1:
68dad1709f2319299c4fcc058c297819582fdcdf
SHA256:
86CE0BAD00A31C8B7B64E8CB07CA8A49BBA4FC02D339E04EB3BA61A85EC6BF53
File Size:
192.62 KB, 192616 bytes
|
|
MD5:
48ec998d8ed44d2807df651445f871fc
SHA1:
1ffebf66f07d99a9cda2f4a7e4135e60ded8728b
SHA256:
DA3CC2D6E4B94029433BD49F261D1ED32080917BE962883F41B32CF8D20D4EB4
File Size:
1.24 MB, 1240576 bytes
|
|
MD5:
f5fe68622107c0004b50606acec98126
SHA1:
5620b07ce4f7adfbdd9fd0467bb08f3a7aa5f8a7
SHA256:
6DD5CBE269B14AAF3278C690A8FC810E447EFF6F1C88FCF00749F35561BD982F
File Size:
928.02 KB, 928016 bytes
|
|
MD5:
6d1134a67bdf89dce5e085328343ee31
SHA1:
df1b65541a8c13a146025d4d922ce01546e11fa4
SHA256:
8345FE3149F8C7C410AA62829C366C6E1856183C47909580C813D9A8C3F3B76C
File Size:
380.96 KB, 380960 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have resources
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 64-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name |
|
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| License | https://curl.se/docs/copyright.html |
| Original Filename |
|
| Product Name |
|
| Product Version |
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Tim Kosse | AAA Certificate Services | Hash Mismatch |
| Tenorshare Co., Ltd. | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Hash Mismatch |
| Wondershare Technology Group Co.,Ltd | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Hash Mismatch |
| Tenorshare Co., Ltd. | DigiCert Trusted Root G4 | Hash Mismatch |
| Wondershare Technology Group Co.,Ltd | DigiCert Trusted Root G4 | Hash Mismatch |
Show More
| Microsoft Corporation | Microsoft Code Signing PCA 2011 | Hash Mismatch |
| Microsoft Windows Software Compatibility Publisher | Microsoft Windows Third Party Component CA 2013 | Hash Mismatch |
| LWKS Software Ltd. | Sectigo Public Code Signing Root R46 | Hash Mismatch |
File Traits
- 2+ executable sections
- dll
- ntdll
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 1,411 |
|---|---|
| Potentially Malicious Blocks: | 350 |
| Whitelisted Blocks: | 1,058 |
| Unknown Blocks: | 3 |
Visual Map
x
x
x
x
x
0
0
x
0
x
0
x
x
0
0
0
x
0
0
0
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
x
0
0
0
x
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
0
0
x
0
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
1
0
0
0
0
x
0
0
0
x
x
x
x
x
x
0
0
0
0
x
x
0
x
0
0
x
x
0
0
x
x
0
x
x
0
x
x
0
0
0
0
0
0
0
0
x
0
0
x
0
x
x
x
x
0
0
0
0
0
0
0
0
0
0
x
0
0
x
x
x
0
0
0
0
0
0
0
0
x
x
x
0
x
x
0
x
0
x
0
x
x
x
0
0
x
0
x
x
0
1
x
0
x
0
x
x
0
x
x
0
x
0
x
0
0
0
0
0
0
0
x
x
x
x
?
?
0
?
x
0
x
0
0
0
0
0
0
0
0
x
x
0
0
x
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
x
x
0
0
0
x
x
0
x
0
0
0
x
x
x
0
x
0
x
x
0
x
0
0
1
0
x
x
x
x
0
x
0
x
0
x
x
0
0
0
0
x
0
x
x
0
0
0
0
x
x
x
x
0
x
0
0
x
x
0
0
0
x
0
0
0
0
x
x
0
x
x
x
0
0
x
0
0
0
x
0
0
0
0
0
x
0
0
0
x
x
0
x
0
1
0
0
0
0
0
x
x
0
0
x
0
x
x
0
0
x
x
x
0
0
x
0
0
0
x
x
x
0
0
0
x
0
0
0
x
x
x
0
0
0
0
x
0
0
x
x
x
x
0
0
x
x
x
x
0
x
0
0
x
x
0
0
0
0
0
0
0
x
x
0
x
0
0
0
0
x
x
x
0
x
0
0
x
x
0
0
0
0
0
x
0
x
0
x
0
0
x
0
x
0
0
0
0
0
x
0
x
x
0
x
x
0
x
x
x
x
x
0
x
0
0
x
x
0
x
x
x
x
x
0
0
x
0
0
0
0
0
x
0
0
0
0
0
0
x
x
0
0
0
x
0
0
0
0
0
x
x
0
x
x
x
0
x
x
x
x
0
x
x
0
0
x
0
x
0
0
0
x
x
0
0
x
x
x
x
0
0
0
x
x
x
x
x
x
x
0
0
0
x
x
0
0
0
x
x
x
0
0
0
0
x
x
0
0
0
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
0
x
0
0
x
0
x
0
0
0
0
x
x
0
x
0
0
x
0
x
0
x
0
0
x
x
x
x
x
x
x
x
x
0
0
x
x
x
0
x
x
0
0
x
x
x
0
0
x
x
x
x
x
x
x
x
0
0
0
0
0
x
0
0
x
x
x
x
x
0
0
0
0
0
x
x
x
0
x
x
0
x
0
0
x
x
x
0
0
x
x
x
0
x
x
0
x
x
x
x
0
x
x
0
0
x
x
x
x
x
x
x
x
0
x
x
x
x
x
0
0
x
x
x
0
x
x
x
0
x
0
0
0
0
x
0
x
0
0
0
0
0
x
x
0
0
0
1
0
x
0
0
0
0
0
0
0
x
0
x
0
0
x
0
x
0
x
0
0
x
0
x
0
x
0
0
0
0
x
x
0
x
0
x
0
x
x
0
x
x
x
0
x
0
x
0
x
x
0
0
0
0
0
0
x
x
0
0
0
0
x
x
x
0
x
0
x
x
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Malex.CB
- PSW.Agent.FGD
- Rugmi.GF
- Rugmi.PGA
- Trojan.Downloader.Gen.AC
Show More
- Trojan.Downloader.Gen.CB
- Trojan.Downloader.Gen.HG
- Trojan.Downloader.Gen.JK
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
