ScreenShot
Created | 2024.06.03 09:40 | Machine | s1_win7_x6403 |
Filename | AppGate2103v01.exe | ||
Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 14 detected (AIDetectMalware, malicious, high confidence, Unsafe, Attribute, HighConfidence, GenKryptik, GVXA, Static AI, Suspicious PE, confidence, 100%) | ||
md5 | 9905d4c0f3aaf44c8f7a0f6c4b4d3543 | ||
sha256 | 2d8524c8b31583d8237455c7211f486667d4cd9ae7db7ac4bab3cbde6b9a5e7b | ||
ssdeep | 98304:HETDbLgHBfCrX0TvTtJOPsRsT90DV8OrLz:CjgHNCgLT7OEsTaDV7r | ||
imphash | 9cd4556d786e561b960f0093c7fc3caa | ||
impfuzzy | 6:aZRHmR1AVGKjHRgKLbGeYwNbsKn3EQlbslJoZ/O4ErBJAEHGDW:KAR1A0KjHRgRtwxrn3EQlSOZGJjA/DW |
Network IP location
Signature (38cnts)
Level | Description |
---|---|
danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
danger | Disables Windows Security features |
danger | Executed a process and injected code into it |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Attempts to create or modify system certificates |
watch | Code injection by writing an executable or DLL to the memory of another process |
watch | Communicates with host for which no DNS query was performed |
watch | Connects to an IRC server |
watch | Executes one or more WMI queries |
watch | File has been identified by 14 AntiVirus engines on VirusTotal as malicious |
watch | Operates on local firewall's policies and settings |
watch | Potential code injection by writing to the memory of another process |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | A process attempted to delay the analysis task. |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | An executable file was downloaded by the process appgate2103v01.exe |
notice | Checks adapter addresses which can be used to detect virtual network interfaces |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates executable files on the filesystem |
notice | Creates hidden or system file |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Looks up the external IP address |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Potentially malicious URLs were found in the process memory dump |
notice | Sends data using the HTTP POST Method |
notice | Steals private information from local Internet browsers |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | The executable is likely packed with VMProtect |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Collects information to fingerprint the system (MachineGuid |
info | One or more processes crashed |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (32cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | NorthKorea_Zero | Maybe it's North Korea File | binaries (download) |
danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
watch | Network_Downloader | File Downloader | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
watch | Win32_Trojan_PWS_Net_1_Zero | Win32 Trojan PWS .NET Azorult | binaries (download) |
notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
notice | local_credential_Steal | Steal credential | memory |
notice | Network_DNS | Communications use DNS | memory |
notice | Network_TCP_Socket | Communications over RAW Socket | memory |
notice | ScreenShot | Take ScreenShot | memory |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | Is_DotNET_EXE | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE64 | (no description) | binaries (download) |
info | IsPE64 | (no description) | binaries (upload) |
info | mzp_file_format | MZP(Delphi) file format | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
Network (42cnts) ?
Suricata ids
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
ET INFO TLS Handshake Failure
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
SURICATA Applayer Mismatch protocol both directions
ET DROP Spamhaus DROP Listed Traffic Inbound group 14
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET DROP Spamhaus DROP Listed Traffic Inbound group 30
ET DROP Dshield Block Listed Source group 1
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
ET INFO TLS Handshake Failure
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
SURICATA Applayer Mismatch protocol both directions
ET DROP Spamhaus DROP Listed Traffic Inbound group 14
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET DROP Spamhaus DROP Listed Traffic Inbound group 30
ET DROP Dshield Block Listed Source group 1
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1402a0000 InitializeCriticalSectionEx
USER32.dll
0x1402a0010 GetCursorPos
ADVAPI32.dll
0x1402a0020 RegCloseKey
SHELL32.dll
0x1402a0030 SHGetFolderPathA
ole32.dll
0x1402a0040 CoCreateInstance
OLEAUT32.dll
0x1402a0050 VariantClear
KERNEL32.dll
0x1402a0060 HeapAlloc
0x1402a0068 HeapFree
0x1402a0070 ExitProcess
0x1402a0078 GetModuleHandleA
0x1402a0080 LoadLibraryA
0x1402a0088 GetProcAddress
EAT(Export Address Table) is none
KERNEL32.dll
0x1402a0000 InitializeCriticalSectionEx
USER32.dll
0x1402a0010 GetCursorPos
ADVAPI32.dll
0x1402a0020 RegCloseKey
SHELL32.dll
0x1402a0030 SHGetFolderPathA
ole32.dll
0x1402a0040 CoCreateInstance
OLEAUT32.dll
0x1402a0050 VariantClear
KERNEL32.dll
0x1402a0060 HeapAlloc
0x1402a0068 HeapFree
0x1402a0070 ExitProcess
0x1402a0078 GetModuleHandleA
0x1402a0080 LoadLibraryA
0x1402a0088 GetProcAddress
EAT(Export Address Table) is none