ScreenShot
| Created | 2024.05.28 11:20 | Machine | s1_win7_x6403 |
| Filename | AppGate2103v01.exe | ||
| Type | MS-DOS executable, MZ for MS-DOS | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 45 detected (AIDetectMalware, malicious, high confidence, score, Expiro, unsafe, Kryptik, Vrpi, GenericKD, Attribute, HighConfidence, Artemis, CLOUD, oqpql, OPERALOADER, YXEEZZ, high, Detected, PrivateLoader, Znyonm, Wacatac, AQF419, R649264, Themida, Chgt, Probably Heur, ExeHeaderL, ai score=86, confidence, 100%) | ||
| md5 | 1306e81bc13677c04abe69a1d2ca4e12 | ||
| sha256 | 9cec62fb802376768ad3fc73ef78aa6f2d34ec683696e597536ebe2b5fcb798d | ||
| ssdeep | 98304:vMlj6Zrx1GIpunUNmw6M47l6xhi91sq0Na3PNSw+i35dbX7MztyszU:EluZrf6nUeNlv91sFA3lEk5dbX7Mz8V | ||
| imphash | 1ba19d25372b3cb9b6f9bdd416ebf12c | ||
| impfuzzy | 3:sUx2AEZsSx2AEJtVXWKjKX9CROXKLbW7uRWEJzowKWbsKnqMEleA+n:nEtEJtVGKjHRgKLbGeYwNbsKn3EQn | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 45 AntiVirus engines on VirusTotal as malicious |
| watch | DEP was bypassed by marking part of the stack executable by the process AppGate2103v01.exe |
| watch | Tries to unhook Windows functions monitored by Cuckoo |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x14084d160 GetModuleHandleA
KERNEL32
0x14084d170 GetModuleHandleA
USER32.dll
0x14084d180 GetCursorPos
ADVAPI32.dll
0x14084d190 RegCloseKey
SHELL32.dll
0x14084d1a0 SHGetFolderPathA
ole32.dll
0x14084d1b0 CoCreateInstance
OLEAUT32.dll
0x14084d1c0 VariantClear
EAT(Export Address Table) is none
kernel32.dll
0x14084d160 GetModuleHandleA
KERNEL32
0x14084d170 GetModuleHandleA
USER32.dll
0x14084d180 GetCursorPos
ADVAPI32.dll
0x14084d190 RegCloseKey
SHELL32.dll
0x14084d1a0 SHGetFolderPathA
ole32.dll
0x14084d1b0 CoCreateInstance
OLEAUT32.dll
0x14084d1c0 VariantClear
EAT(Export Address Table) is none