Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.MSIL.Agent.OGI

Trojan.MSIL.Agent.OGI

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.MSIL.Agent.OGI
Signature status: No Signature

Known Samples

MD5: ab4f430dde4094a31b0ce1e32303784b
SHA1: f25e37d4dc934de178d373d81c4688ae18de148c
SHA256: 46505503A377AA9B3C1AE730AA77F1AE90F7D78967CD546ADC4B3721FF867A8D
File Size: 1.72 MB, 1715104 bytes
MD5: 3f62385887eb9a8b2645b553891dc278
SHA1: 4aa5083190cc732694638cc443073824ffdb2739
SHA256: 4A238BF470277F1947E9E5383740D925148326F3CB85B6E41CB3587FCD665AA5
File Size: 552.96 KB, 552960 bytes
MD5: 9fb5d3c89c85a1ae3f485c3c2cb7872b
SHA1: cd1915b0339840a387b335743284e36bc32cbcf8
SHA256: 002C89F54D7E9D03B795EBCB59F84F2643F9F09D6B2985BE9F40022746687F8D
File Size: 491.01 KB, 491008 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have security information
  • File is .NET application
  • File is 32-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version
  • 23.8.20555.0
  • 1.7.3.0
  • 1.0.0.0
Comments
  • Adobe Acrobat
  • NAudio .NET Audio Library
Company Name
  • Adobe Systems Incorporated
  • Mark Heath
File Description
  • Adobe Acrobat
  • MIC
  • NAudio
File Version
  • 23.8.20555.0
  • 1.7.3.0
  • 1.0.0.0
Internal Name
  • Microphone.dll
  • NAudio.dll
  • Pnvsqw.exe
Legal Copyright
  • Copyright 1984-2023 Adobe Systems Incorporated and its licensors. All rights reserved.
  • Copyright © 2022
  • © 2001-2014 Mark Heath
Original Filename
  • Microphone.dll
  • NAudio.dll
  • Pnvsqw.exe
Product Name
  • Adobe Acrobat
  • MIC
  • NAudio
Product Version
  • 23.8.20555.0
  • 1.7.3.0
  • 1.0.0.0

Digital Signatures

Signer Root Status
Adobe Inc. DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 Hash Mismatch

File Traits

  • .NET
  • dll
  • HighEntropy
  • RijndaelManaged
  • x86

Block Information

Total Blocks: 1,482
Potentially Malicious Blocks: 292
Whitelisted Blocks: 1,152
Unknown Blocks: 38

Visual Map

0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 x x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x x 0 0 0 0 0 x 0 0 0 0 0 0 0 x x x 0 x x x 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 ? x 0 0 0 0 0 0 0 x 0 x x x 0 0 0 0 0 0 0 0 0 0 ? ? 0 ? x x ? x x 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 x 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 x x x 0 0 x x x x 0 x x ? ? 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 ? 0 x 0 ? x 0 x x x x x x 0 0 0 x 0 0 0 x 0 x 0 ? x 0 0 0 x 0 0 x x x 0 0 0 0 0 0 x 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 x x 0 x x 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 x x x 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 x x 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x x x x 0 x 0 x 0 x 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 x x x 0 x x x x x x x x x x x x 0 0 0 0 0 0 0 x 0 x x 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 x 0 0 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x 0 x 0 0 x 0 0 x 0 0 x 0 0 x 0 0 x 0 0 x 0 0 x 0 0 x x 0 0 x 0 0 x 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 x 0 0 0 0 x 0 x x 0 x 0 0 0 0 0 0 x 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 x x 0 0 0 0 x 0 0 0 ? 0 0 0 0 x 0 ? ? 0 0 ? 0 0 0 0 0 0 0 0 0 ? 0 x x x x x x 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 x 0 0 0 0 ? x x 0 0 0 0 0 0 0 x ? x x x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x x x x 0 ? 0 x 0 ? x 0 0 x x ? x ? x x x x 0 0 0 ? 0 0 x 0 0 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 x x 0 x x 0 0 0 0 0 0 0 0 x 0 x x 0 0 0 0 x 0 x 0 0 0 0 0 0 x 0 x x x 0 0 x 0 0 x 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 x 0 0 0 x x 0 0 0 0 0 x 0 x 0 x 0 0 0 x 0 0 0 x 0 0 x x 0 0 0 0 x ? 0 0 0 0 0 0 0 0 x x x x 0 0 0 ? ? x x 0 ? x 0 x 0 0 0 0 0 0 0 ? x x 0 x 0 x x x 0 0 0 0 0 0 0 0 x x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 x x x 0 0 0 x x x 0 x 0 0 0 0 x x x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 x x x x x x 0 0 x x x x x 0 0 x 0 0 x x 0 x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 x 0 0 0 0 0 x 0 0 x 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • MSIL.Agent.FFB
  • MSIL.Agent.FFH
  • MSIL.Agent.KS

Files Modified

File Attributes
\device\namedpipe\pshost.134058523663223018.4364.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
c:\users\user\appdata\local\temp\__psscriptpolicytest_fhoxsrom.evw.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_pyqyyc1d.044.ps1 Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ꡿娕䖄ǜ RegNtPreCreateKey

Windows API Usage

Category API
User Data Access
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
Other Suspicious
  • AdjustTokenPrivileges
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext
Process Terminate
  • TerminateProcess
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
Show More
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN

Trending

Most Viewed

Loading...