Trojan.MSIL.Agent.PFG

By CagedTech in Trojans

Table of Contents

Analysis Report

General information

Family Name:	Trojan.MSIL.Agent.PFG
Signature status:	No Signature

Known Samples

MD5: 9bc1bfd5e4313ab65cc791cf3a4832ba

SHA1: 192eb371f3cb1fe9879dc01ff924f8b4dba92c8a

SHA256: 9228855C0DD291B33F011A9B6027F11A0E6DBC2757B4AF123B1F9FAA9004CBD0

File Size: 5.37 MB, 5371630 bytes

MD5: 3c7e43b80531a4905ad35fdfd12d817c

SHA1: ffc2fb5e838049b4419aa1c9658a0b8b03ab7715

SHA256: 0A95C7E12AE88A3C1F290EC396B6BFB2DCD6C272C66C3A2A2E406586D926F0A5

File Size: 11.26 KB, 11264 bytes

MD5: df09ae17a9c27b36e90c442fe7d6d955

SHA1: 1d6cb139683aa4f27b453bee3f4178f93aeb42cc

SHA256: 5890E1D9FDF3309D6141C669F541E90A37B541322871F9AE6305D64BD8BE1099

File Size: 4.44 MB, 4444012 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have security information
File is .NET application
File is 32-bit executable
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)

File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Assembly Version	1.0.0.0
File Description	Vuduhi
File Version	1.0.0.0
Internal Name	Vuduhi.exe
Legal Copyright	Copyright © 2024
Original Filename	Vuduhi.exe
Product Name	Vuduhi
Product Version	1.0.0.0

File Traits

.NET
x86

Block Information

Similar Families

MSIL.Agent.PFG
MSIL.Agent.PFK

Files Modified

File	Attributes
\device\namedpipe	Generic Read,Write Attributes
\device\namedpipe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa5228.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsv36d.tmp\nsexec.dll	Generic Write,Read Attributes

Registry Modifications

Key::Value	Data	API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	㖕฿ඵǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	Ắ躟臹ǜ	RegNtPreCreateKey

Windows API Usage

Category	API
Anti Debug	IsDebuggerPresent NtQuerySystemInformation
User Data Access	GetUserDefaultLocaleName GetUserObjectInformation
Process Shell Execute	CreateProcess
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAddAtomEx ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtApphelpCacheControl ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile Show More ntdll.dll!NtCreateMutant ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtReadFile ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationKey ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtWaitForAlertByThreadId ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWaitLowEventPair ntdll.dll!NtWorkerFactoryWorkerReady ntdll.dll!NtWriteFile ntdll.dll!NtWriteVirtualMemory UNKNOWN win32u.dll!NtGdiAnyLinkedFonts win32u.dll!NtGdiBitBlt win32u.dll!NtGdiCreateBitmap win32u.dll!NtGdiCreateCompatibleBitmap win32u.dll!NtGdiCreateCompatibleDC win32u.dll!NtGdiCreateDIBitmapInternal win32u.dll!NtGdiCreateRectRgn win32u.dll!NtGdiCreateSolidBrush win32u.dll!NtGdiDeleteObjectApp win32u.dll!NtGdiDoPalette win32u.dll!NtGdiDrawStream win32u.dll!NtGdiExtGetObjectW win32u.dll!NtGdiExtTextOutW win32u.dll!NtGdiFontIsLinked win32u.dll!NtGdiGetCharABCWidthsW win32u.dll!NtGdiGetDCDword win32u.dll!NtGdiGetDCforBitmap win32u.dll!NtGdiGetDCObject win32u.dll!NtGdiGetDeviceCaps win32u.dll!NtGdiGetDIBitsInternal win32u.dll!NtGdiGetEntry win32u.dll!NtGdiGetFontData win32u.dll!NtGdiGetGlyphIndicesW win32u.dll!NtGdiGetOutlineTextMetricsInternalW win32u.dll!NtGdiGetRandomRgn win32u.dll!NtGdiGetRealizationInfo win32u.dll!NtGdiGetTextFaceW win32u.dll!NtGdiGetTextMetricsW win32u.dll!NtGdiGetWidthTable win32u.dll!NtGdiHfontCreate win32u.dll!NtGdiIntersectClipRect win32u.dll!NtGdiQueryFontAssocInfo win32u.dll!NtGdiRestoreDC win32u.dll!NtGdiSaveDC win32u.dll!NtGdiSelectBitmap win32u.dll!NtGdiSetDIBitsToDeviceInternal win32u.dll!NtGdiSetLayout 62 additional items are not displayed above.
Network Winsock2	WSAStartup
Service Control	OpenSCManager OpenService
Process Manipulation Evasion	NtUnmapViewOfSection ZwMapViewOfSection

Shell Command Execution


							netsh advfirewall firewall add rule name=bcnjxicwnxpvc dir=in action=allow program="C:\Users\Rfpnwtqx\AppData\Local\Temp\nsa5228.tmp\bcnjxicwnxpvc.exe" enable=yes profile=public,private


							netsh advfirewall firewall add rule name=lztcrmfnwimigwr dir=in action=allow program="C:\Users\Wbtxohfb\AppData\Local\Temp\nsv36D.tmp\lztcrmfnwimigwr.exe" enable=yes profile=public,private

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

Trojan.MSIL.Agent.PFG

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

File Traits

Block Information

Block Information

Similar Families

Similar Families

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

Bullish Degen (BULLISH) Airdrop Scam

Trojan.MSIL.Agent.VTS

Fisakalzb Ransomware

Most Viewed

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen

How to Fix 'macOS cannot verify that this app is...