popup

Report - AppGate018ver1.exe

Vidar Client SW User Data Stealer LokiBot Gen1 Emotet ftp Client info stealer Generic Malware Themida Packer Malicious Library UPX ASPack .NET framework(MSIL) Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File PE64 OS Processor Che
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.07.20 20:34 Machine s1_win7_x6401
Filename AppGate018ver1.exe
Type PE32+ executable (GUI) x86-64, for MS Windows
AI Score
5
 Behavior Score
28.4
ZERO API file : malware
VT API (file) 15 detected (AIDetectMalware, malicious, high confidence, Unsafe, Attribute, HighConfidence, AGen, Real Protect, Wacapew, confidence)
md5 8f8f6a36a8b827ceaae1228fd2669002
sha256 0947872f18afd457962627cd08eae78498cd6ed27219da7f45a294a0e9e6c947
ssdeep 98304:Ry6lwYZDXZJeoV95KoyxKxQQYj50PvDUXgTYbhGC/Mg:7Z1JV9N8Tj5EDUwTYNGMMg
imphash 82a1160ea6d4db9ad17aacb065a21868
impfuzzy 96:/HQmWgtXS1TWJc+6/cg/p1LR24u1AXJ4Zcp+AjxtvuGzvVq:zWgK1PbZ4pgc
  Network IP location

Signature (60cnts)

Level Description
danger Disables Windows Security features
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Checks for the presence of known windows from debuggers and forensic tools
watch Checks the CPU name from registry
watch Checks the version of Bios
watch Code injection by writing an executable or DLL to the memory of another process
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Deletes executed files from disk
watch Detects Virtual Machines through their custom firmware
watch Detects VirtualBox through the presence of a registry key
watch Detects VMWare through the in instruction feature
watch Disables proxy possibly for traffic interception
watch Drops a binary and executes it
watch Executes one or more WMI queries
watch File has been identified by 15 AntiVirus engines on VirusTotal as malicious
watch Harvests credentials from local FTP client softwares
watch Installs itself for autorun at Windows startup
watch Manipulates memory of a non-child process indicative of process injection
watch Network activity contains more than one unique useragent
watch Operates on local firewall's policies and settings
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
watch Uses Sysinternals tools in order to add additional command line functionality
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Creates hidden or system file
notice Drops an executable to the user AppData folder
notice Expresses interest in specific running processes
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Potentially malicious URLs were found in the process memory dump
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice Terminates another process
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is likely packed with VMProtect
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed

Rules (43cnts)

Level Name Description Collection
danger Client_SW_User_Data_Stealer Client_SW_User_Data_Stealer memory
danger Win32_PWS_Loki_m_Zero Win32 PWS Loki memory
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
warning infoStealer_ftpClients_Zero ftp clients info stealer memory
warning themida_packer themida packer binaries (download)
watch ASPack_Zero ASPack packed file binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (download)
notice Code_injection Code injection with CreateRemoteThread in a remote process memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice Network_HTTP Communications over HTTP memory
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info antisb_threatExpert Anti-Sandbox checks for ThreatExpert memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info DllRegisterServer_Zero execute regsvr32.exe binaries (download)
info ftp_command ftp command binaries (download)
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE64 (no description) binaries (download)
info IsPE64 (no description) binaries (upload)
info lnk_file_format Microsoft Windows Shortcut File Format binaries (download)
info Lnk_Format_Zero LNK Format binaries (download)
info mzp_file_format MZP(Delphi) file format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (43cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://79.137.192.13/prog/669a659129ee2_crypted.exe#1
whois
RU Psk-set LLC 79.137.192.13 mailcious
http://176.111.174.109/psyzh
whois
Unknown 176.111.174.109 40370 malware
http://77.105.133.27/download/123p.exe
whois
RU Plus Telecom LLC 77.105.133.27 40857 malware
http://89.111.172.64/d/385132
whois
RU Jsc ru-center 89.111.172.64 mailcious
http://91.103.252.177/api/twofish.php
whois
RU Hostglobal.plus Inc 91.103.252.177 clean
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US Akamai International B.V. 23.67.53.17 clean
http://94.232.45.38/eee01/eee01.exe
whois
BY eTOP sp. z o.o. 94.232.45.38 39938 malware
http://91.103.252.177/api/crazyfish.php
whois
RU Hostglobal.plus Inc 91.103.252.177 clean
http://79.137.192.13/prog/669b5b78252ea_googlesoft.exe#mene
whois
RU Psk-set LLC 79.137.192.13 mailcious
http://79.137.192.13/prog/6696621cecc83_crypted.exe#xin
whois
RU Psk-set LLC 79.137.192.13 mailcious
http://77.105.133.27/download/th/space.php
whois
RU Plus Telecom LLC 77.105.133.27 40856 mailcious
http://79.137.192.13/prog/6692518842cd4_BotClient.exe
whois
RU Psk-set LLC 79.137.192.13 malware
https://steamcommunity.com/profiles/76561199743486170
whois
US AKAMAI-AS 96.7.99.225 41270 mailcious
https://db-ip.com/demo/home.php?s=
whois
US CLOUDFLARENET 104.26.4.15 clean
https://iplogger.org/1nhuM4.js
whois
US CLOUDFLARENET 172.67.132.113 clean
db-ip.com
whois
US CLOUDFLARENET 104.26.5.15 clean
pool.hashvault.pro
whois
SG PhoenixNAP 131.153.76.130 mailcious
api64.ipify.org
whois
US WEBNX 104.237.62.213 clean
api.myip.com
whois
US CLOUDFLARENET 172.67.75.163 clean
steamcommunity.com
whois
US AKAMAI-AS 23.66.133.162 mailcious
iplogger.org
whois
US CLOUDFLARENET 104.21.4.208 mailcious
t.me
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
cdn.discordapp.com
whois
Unknown 162.159.134.233 malware
lop.foxesjoy.com
whois
US CLOUDFLARENET 172.67.159.232 malware
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
176.111.174.109
whois
Unknown 176.111.174.109 malware
96.7.99.225
whois
US AKAMAI-AS 96.7.99.225 clean
172.67.75.163
whois
US CLOUDFLARENET 172.67.75.163 clean
104.26.4.15
whois
US CLOUDFLARENET 104.26.4.15 clean
162.159.130.233
whois
Unknown 162.159.130.233 malware
94.232.45.38
whois
BY eTOP sp. z o.o. 94.232.45.38 malware
104.21.66.124
whois
US CLOUDFLARENET 104.21.66.124 malware
104.237.62.213
whois
US WEBNX 104.237.62.213 clean
79.137.192.13
whois
RU Psk-set LLC 79.137.192.13 malware
91.103.252.177
whois
RU Hostglobal.plus Inc 91.103.252.177 clean
89.111.172.64
whois
RU Jsc ru-center 89.111.172.64 mailcious
77.105.133.27
whois
RU Plus Telecom LLC 77.105.133.27 mailcious
78.46.255.249
whois
DE Hetzner Online GmbH 78.46.255.249 mailcious
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
121.254.136.9
whois
KR LG DACOM Corporation 121.254.136.9 clean
172.67.132.113
whois
US CLOUDFLARENET 172.67.132.113 clean
131.153.76.130
whois
SG PhoenixNAP 131.153.76.130 mailcious

Suricata ids

ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
ET INFO TLS Handshake Failure
ET DROP Spamhaus DROP Listed Traffic Inbound group 8
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Executable Download from dotted-quad Host
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET DROP Spamhaus DROP Listed Traffic Inbound group 30
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SURICATA Applayer Mismatch protocol both directions
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Redirect to Discord Attachment Download
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO Packed Executable Download
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE RisePro TCP Heartbeat Packet
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x1403d4000 InitializeCriticalSectionEx
 0x1403d4008 CreateMutexA
 0x1403d4010 lstrcatA
 0x1403d4018 GetModuleHandleA
 0x1403d4020 SetCurrentDirectoryA
 0x1403d4028 Sleep
 0x1403d4030 GetModuleHandleExA
 0x1403d4038 GetFileAttributesA
 0x1403d4040 GetBinaryTypeA
 0x1403d4048 lstrcpyA
 0x1403d4050 FindClose
 0x1403d4058 VerSetConditionMask
 0x1403d4060 WideCharToMultiByte
 0x1403d4068 VerifyVersionInfoW
 0x1403d4070 CreateProcessA
 0x1403d4078 GetSystemTimeAsFileTime
 0x1403d4080 HeapFree
 0x1403d4088 lstrlenA
 0x1403d4090 HeapAlloc
 0x1403d4098 GetProcAddress
 0x1403d40a0 lstrcpynA
 0x1403d40a8 GetProcessHeap
 0x1403d40b0 WriteConsoleW
 0x1403d40b8 CloseHandle
 0x1403d40c0 CreateFileA
 0x1403d40c8 GetLastError
 0x1403d40d0 CreateFileW
 0x1403d40d8 WriteFile
 0x1403d40e0 SetFileAttributesA
 0x1403d40e8 ReadFile
 0x1403d40f0 HeapSize
 0x1403d40f8 FreeEnvironmentStringsW
 0x1403d4100 GetEnvironmentStringsW
 0x1403d4108 GetCommandLineW
 0x1403d4110 GetCommandLineA
 0x1403d4118 GetOEMCP
 0x1403d4120 GetACP
 0x1403d4128 IsValidCodePage
 0x1403d4130 InitializeSListHead
 0x1403d4138 ReleaseSRWLockExclusive
 0x1403d4140 AcquireSRWLockExclusive
 0x1403d4148 WakeAllConditionVariable
 0x1403d4150 SleepConditionVariableSRW
 0x1403d4158 RtlCaptureContext
 0x1403d4160 RtlLookupFunctionEntry
 0x1403d4168 RtlVirtualUnwind
 0x1403d4170 IsDebuggerPresent
 0x1403d4178 UnhandledExceptionFilter
 0x1403d4180 SetUnhandledExceptionFilter
 0x1403d4188 GetStartupInfoW
 0x1403d4190 IsProcessorFeaturePresent
 0x1403d4198 GetModuleHandleW
 0x1403d41a0 QueryPerformanceCounter
 0x1403d41a8 GetCurrentProcessId
 0x1403d41b0 GetCurrentThreadId
 0x1403d41b8 LocalFree
 0x1403d41c0 FindFirstFileExW
 0x1403d41c8 FindNextFileW
 0x1403d41d0 MultiByteToWideChar
 0x1403d41d8 QueryPerformanceFrequency
 0x1403d41e0 LCMapStringEx
 0x1403d41e8 EnterCriticalSection
 0x1403d41f0 LeaveCriticalSection
 0x1403d41f8 DeleteCriticalSection
 0x1403d4200 EncodePointer
 0x1403d4208 DecodePointer
 0x1403d4210 GetCPInfo
 0x1403d4218 GetStringTypeW
 0x1403d4220 SetLastError
 0x1403d4228 GetCurrentThread
 0x1403d4230 GetThreadTimes
 0x1403d4238 RtlUnwindEx
 0x1403d4240 InterlockedPushEntrySList
 0x1403d4248 RtlPcToFileHeader
 0x1403d4250 RaiseException
 0x1403d4258 InitializeCriticalSectionAndSpinCount
 0x1403d4260 TlsAlloc
 0x1403d4268 TlsGetValue
 0x1403d4270 TlsSetValue
 0x1403d4278 TlsFree
 0x1403d4280 FreeLibrary
 0x1403d4288 LoadLibraryExW
 0x1403d4290 SetFilePointerEx
 0x1403d4298 GetFileType
 0x1403d42a0 GetCurrentProcess
 0x1403d42a8 ExitProcess
 0x1403d42b0 TerminateProcess
 0x1403d42b8 GetModuleHandleExW
 0x1403d42c0 GetModuleFileNameW
 0x1403d42c8 GetStdHandle
 0x1403d42d0 GetConsoleMode
 0x1403d42d8 ReadConsoleW
 0x1403d42e0 GetConsoleOutputCP
 0x1403d42e8 SetStdHandle
 0x1403d42f0 FlsAlloc
 0x1403d42f8 FlsGetValue
 0x1403d4300 FlsSetValue
 0x1403d4308 FlsFree
 0x1403d4310 LCMapStringW
 0x1403d4318 GetLocaleInfoW
 0x1403d4320 IsValidLocale
 0x1403d4328 GetUserDefaultLCID
 0x1403d4330 EnumSystemLocalesW
 0x1403d4338 SetEndOfFile
 0x1403d4340 GetFileSizeEx
 0x1403d4348 FlushFileBuffers
 0x1403d4350 HeapReAlloc
 0x1403d4358 RtlUnwind
USER32.dll
 0x1403d4368 GetCursorPos
 0x1403d4370 CharNextA
ADVAPI32.dll
 0x1403d4380 RegCloseKey
 0x1403d4388 RegCreateKeyExA
 0x1403d4390 RegSetValueExA
 0x1403d4398 RegOpenKeyExA
 0x1403d43a0 CryptReleaseContext
SHELL32.dll
 0x1403d43b0 SHGetFolderPathA
 0x1403d43b8 ShellExecuteA
ole32.dll
 0x1403d43c8 CoCreateInstance
 0x1403d43d0 CoInitializeSecurity
 0x1403d43d8 CoInitializeEx
 0x1403d43e0 CoUninitialize
OLEAUT32.dll
 0x1403d43f0 VariantClear
 0x1403d43f8 SysAllocString
 0x1403d4400 SysFreeString
KERNEL32.dll
 0x1403d4410 GetSystemTimeAsFileTime
 0x1403d4418 CreateEventA
 0x1403d4420 GetModuleHandleA
 0x1403d4428 TerminateProcess
 0x1403d4430 GetCurrentProcess
 0x1403d4438 CreateToolhelp32Snapshot
 0x1403d4440 Thread32First
 0x1403d4448 GetCurrentProcessId
 0x1403d4450 GetCurrentThreadId
 0x1403d4458 OpenThread
 0x1403d4460 Thread32Next
 0x1403d4468 CloseHandle
 0x1403d4470 SuspendThread
 0x1403d4478 ResumeThread
 0x1403d4480 WriteProcessMemory
 0x1403d4488 GetSystemInfo
 0x1403d4490 VirtualAlloc
 0x1403d4498 VirtualProtect
 0x1403d44a0 VirtualFree
 0x1403d44a8 GetProcessAffinityMask
 0x1403d44b0 SetProcessAffinityMask
 0x1403d44b8 GetCurrentThread
 0x1403d44c0 SetThreadAffinityMask
 0x1403d44c8 Sleep
 0x1403d44d0 LoadLibraryA
 0x1403d44d8 FreeLibrary
 0x1403d44e0 GetTickCount
 0x1403d44e8 SystemTimeToFileTime
 0x1403d44f0 FileTimeToSystemTime
 0x1403d44f8 GlobalFree
 0x1403d4500 HeapAlloc
 0x1403d4508 HeapFree
 0x1403d4510 GetProcAddress
 0x1403d4518 ExitProcess
 0x1403d4520 EnterCriticalSection
 0x1403d4528 LeaveCriticalSection
 0x1403d4530 InitializeCriticalSection
 0x1403d4538 DeleteCriticalSection
 0x1403d4540 MultiByteToWideChar
 0x1403d4548 GetModuleHandleW
 0x1403d4550 LoadResource
 0x1403d4558 FindResourceExW
 0x1403d4560 FindResourceExA
 0x1403d4568 WideCharToMultiByte
 0x1403d4570 GetThreadLocale
 0x1403d4578 GetUserDefaultLCID
 0x1403d4580 GetSystemDefaultLCID
 0x1403d4588 EnumResourceNamesA
 0x1403d4590 EnumResourceNamesW
 0x1403d4598 EnumResourceLanguagesA
 0x1403d45a0 EnumResourceLanguagesW
 0x1403d45a8 EnumResourceTypesA
 0x1403d45b0 EnumResourceTypesW
 0x1403d45b8 CreateFileW
 0x1403d45c0 LoadLibraryW
 0x1403d45c8 GetLastError
 0x1403d45d0 FlushFileBuffers
 0x1403d45d8 FlsSetValue
 0x1403d45e0 GetCommandLineA
 0x1403d45e8 GetCPInfo
 0x1403d45f0 GetACP
 0x1403d45f8 GetOEMCP
 0x1403d4600 IsValidCodePage
 0x1403d4608 EncodePointer
 0x1403d4610 DecodePointer
 0x1403d4618 FlsGetValue
 0x1403d4620 FlsFree
 0x1403d4628 SetLastError
 0x1403d4630 FlsAlloc
 0x1403d4638 UnhandledExceptionFilter
 0x1403d4640 SetUnhandledExceptionFilter
 0x1403d4648 IsDebuggerPresent
 0x1403d4650 RtlVirtualUnwind
 0x1403d4658 RtlLookupFunctionEntry
 0x1403d4660 RtlCaptureContext
 0x1403d4668 RaiseException
 0x1403d4670 RtlPcToFileHeader
 0x1403d4678 RtlUnwindEx
 0x1403d4680 LCMapStringA
 0x1403d4688 LCMapStringW
 0x1403d4690 SetHandleCount
 0x1403d4698 GetStdHandle
 0x1403d46a0 GetFileType
 0x1403d46a8 GetStartupInfoA
 0x1403d46b0 GetModuleFileNameA
 0x1403d46b8 FreeEnvironmentStringsA
 0x1403d46c0 GetEnvironmentStrings
 0x1403d46c8 FreeEnvironmentStringsW
 0x1403d46d0 GetEnvironmentStringsW
 0x1403d46d8 HeapSetInformation
 0x1403d46e0 HeapCreate
 0x1403d46e8 HeapDestroy
 0x1403d46f0 QueryPerformanceCounter
 0x1403d46f8 GetStringTypeA
 0x1403d4700 GetStringTypeW
 0x1403d4708 GetLocaleInfoA
 0x1403d4710 HeapSize
 0x1403d4718 WriteFile
 0x1403d4720 SetFilePointer
 0x1403d4728 GetConsoleCP
 0x1403d4730 GetConsoleMode
 0x1403d4738 HeapReAlloc
 0x1403d4740 InitializeCriticalSectionAndSpinCount
 0x1403d4748 SetStdHandle
 0x1403d4750 WriteConsoleA
 0x1403d4758 GetConsoleOutputCP
 0x1403d4760 WriteConsoleW
 0x1403d4768 CreateFileA

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure