popup

Report - ngrok.exe

Malicious Library Malicious Packer UPX PE64 PE File OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.05.08 07:50 Machine s1_win7_x6401
Filename ngrok.exe
Type PE32+ executable (console) x86-64, for MS Windows
AI Score Not founds Behavior Score
0.8
ZERO API file : mailcious
VT API (file) 6 detected (Common, a variant of WinGo, Ngrok, B potentially unsafe, Tool, MALICIOUS, Igent, b1PDlF)
md5 d028e35142a32bb77301ea582548c71a
sha256 f7d772465d27fc379f08681b2ee532baad91c50a6bdd7ecd6faaf0d11adb77dc
ssdeep 98304:vLZ74HDHivcYUQn6WfIZbIpf1S/509TyfP3dKLLwDac4oOA+f0qZBx/E+aX9vVDD:F7487dn6WfICy81GOBi+aNVDM1K
imphash ea509d361799935a94335b88f534a970
impfuzzy 24:ibVjh9wO+jX13uT7boVaXOr6kwmDgUPMztxdD1tr6tP:AwO+jX13UjXOmokxp1ZoP
  Network IP location

Signature (3cnts)

Level Description
notice File has been identified by 6 AntiVirus engines on VirusTotal as malicious
info One or more processes crashed
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (6cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x1ad8700 WriteFile
 0x1ad8708 WriteConsoleW
 0x1ad8710 WerSetFlags
 0x1ad8718 WerGetFlags
 0x1ad8720 WaitForMultipleObjects
 0x1ad8728 WaitForSingleObject
 0x1ad8730 VirtualQuery
 0x1ad8738 VirtualFree
 0x1ad8740 VirtualAlloc
 0x1ad8748 TlsAlloc
 0x1ad8750 SwitchToThread
 0x1ad8758 SuspendThread
 0x1ad8760 SetWaitableTimer
 0x1ad8768 SetUnhandledExceptionFilter
 0x1ad8770 SetThreadPriority
 0x1ad8778 SetProcessPriorityBoost
 0x1ad8780 SetEvent
 0x1ad8788 SetErrorMode
 0x1ad8790 SetConsoleCtrlHandler
 0x1ad8798 ResumeThread
 0x1ad87a0 RaiseFailFastException
 0x1ad87a8 PostQueuedCompletionStatus
 0x1ad87b0 LoadLibraryW
 0x1ad87b8 LoadLibraryExW
 0x1ad87c0 SetThreadContext
 0x1ad87c8 GetThreadContext
 0x1ad87d0 GetSystemInfo
 0x1ad87d8 GetSystemDirectoryA
 0x1ad87e0 GetStdHandle
 0x1ad87e8 GetQueuedCompletionStatusEx
 0x1ad87f0 GetProcessAffinityMask
 0x1ad87f8 GetProcAddress
 0x1ad8800 GetErrorMode
 0x1ad8808 GetEnvironmentStringsW
 0x1ad8810 GetCurrentThreadId
 0x1ad8818 GetConsoleMode
 0x1ad8820 FreeEnvironmentStringsW
 0x1ad8828 ExitProcess
 0x1ad8830 DuplicateHandle
 0x1ad8838 CreateWaitableTimerExW
 0x1ad8840 CreateWaitableTimerA
 0x1ad8848 CreateThread
 0x1ad8850 CreateIoCompletionPort
 0x1ad8858 CreateFileA
 0x1ad8860 CreateEventA
 0x1ad8868 CloseHandle
 0x1ad8870 AddVectoredExceptionHandler

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure