Overview
overview
9Static
static
7Appfuscate...or.exe
windows7-x64
9Appfuscate...or.exe
windows10-2004-x64
9Appfuscate...ib.dll
windows7-x64
1Appfuscate...ib.dll
windows10-2004-x64
1Appfuscate...db.dll
windows7-x64
1Appfuscate...db.dll
windows10-2004-x64
1Appfuscate...db.dll
windows7-x64
1Appfuscate...db.dll
windows10-2004-x64
1Appfuscate...ks.dll
windows7-x64
1Appfuscate...ks.dll
windows10-2004-x64
1Appfuscate...il.dll
windows7-x64
1Appfuscate...il.dll
windows10-2004-x64
1Appfuscate...on.dll
windows7-x64
1Appfuscate...on.dll
windows10-2004-x64
1Appfuscate...er.exe
windows7-x64
1Appfuscate...er.exe
windows10-2004-x64
1Appfuscate...er.exe
windows7-x64
1Appfuscate...er.exe
windows10-2004-x64
1Appfuscate...00.exe
windows7-x64
7Appfuscate...00.exe
windows10-2004-x64
7Analysis
-
max time kernel
151s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2023 15:41
Behavioral task
behavioral1
Sample
Appfuscated - Cracked by Voxguard/AppFuscator.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Appfuscated - Cracked by Voxguard/AppFuscator.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
Appfuscated - Cracked by Voxguard/ICSharpCode.SharpZipLib.dll
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
Appfuscated - Cracked by Voxguard/ICSharpCode.SharpZipLib.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
Appfuscated - Cracked by Voxguard/Mono.Cecil.Mdb.dll
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
Appfuscated - Cracked by Voxguard/Mono.Cecil.Mdb.dll
Resource
win10v2004-20230221-en
Behavioral task
behavioral7
Sample
Appfuscated - Cracked by Voxguard/Mono.Cecil.Pdb.dll
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
Appfuscated - Cracked by Voxguard/Mono.Cecil.Pdb.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Appfuscated - Cracked by Voxguard/Mono.Cecil.Rocks.dll
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
Appfuscated - Cracked by Voxguard/Mono.Cecil.Rocks.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
Appfuscated - Cracked by Voxguard/Mono.Cecil.dll
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
Appfuscated - Cracked by Voxguard/Mono.Cecil.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
Appfuscated - Cracked by Voxguard/Newtonsoft.Json.dll
Resource
win7-20230220-en
Behavioral task
behavioral14
Sample
Appfuscated - Cracked by Voxguard/Newtonsoft.Json.dll
Resource
win10v2004-20230221-en
Behavioral task
behavioral15
Sample
Appfuscated - Cracked by Voxguard/StackTraceDecoder.exe
Resource
win7-20230220-en
Behavioral task
behavioral16
Sample
Appfuscated - Cracked by Voxguard/StackTraceDecoder.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral17
Sample
Appfuscated - Cracked by Voxguard/WatermarkDecoder.exe
Resource
win7-20230220-en
Behavioral task
behavioral18
Sample
Appfuscated - Cracked by Voxguard/WatermarkDecoder.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
Appfuscated - Cracked by Voxguard/unins000.exe
Resource
win7-20230220-en
Behavioral task
behavioral20
Sample
Appfuscated - Cracked by Voxguard/unins000.exe
Resource
win10v2004-20230220-en
General
-
Target
Appfuscated - Cracked by Voxguard/AppFuscator.exe
-
Size
5.6MB
-
MD5
d19985c8b4de4a0cef2f5a4533140ca4
-
SHA1
4fb1de3c3aebc888aec868a7d921ad6653e6aba4
-
SHA256
1d0638e1f906f41b6dcb34a685223eb6b1b19874661a2131dcbe9c76e1ec1791
-
SHA512
2eaf25002f57ffc2ece5c68bdf17182b393dceee0b836cb6d9d4c2ab7604b9b2e2dc47da1e9c6499fc341a23130c14dfbadd51530a11ae1e73c37ca1c4d3ba4d
-
SSDEEP
98304:EIvuNN/N91h2eDZQjL7sU8I5DKBWoClkRGJewd8Y3evBQ9LtYVrEx3/o6ETgKbWt:ET9GeDVI5DKBWZlkgJedYs6LtYdEhqTp
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ AppFuscator.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion AppFuscator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion AppFuscator.exe -
Loads dropped DLL 1 IoCs
pid Process 4116 AppFuscator.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/4116-133-0x0000000000310000-0x00000000008B2000-memory.dmp agile_net -
resource yara_rule behavioral2/files/0x00060000000226e7-137.dat themida behavioral2/files/0x00060000000226e7-139.dat themida behavioral2/memory/4116-141-0x00007FFE391B0000-0x00007FFE39962000-memory.dmp themida behavioral2/memory/4116-143-0x00007FFE391B0000-0x00007FFE39962000-memory.dmp themida behavioral2/memory/4116-147-0x00007FFE391B0000-0x00007FFE39962000-memory.dmp themida behavioral2/memory/4116-152-0x00007FFE391B0000-0x00007FFE39962000-memory.dmp themida behavioral2/memory/4116-161-0x00007FFE391B0000-0x00007FFE39962000-memory.dmp themida behavioral2/memory/4116-162-0x00007FFE391B0000-0x00007FFE39962000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AppFuscator.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Appfuscated - Cracked by Voxguard\AppFuscator.exe"C:\Users\Admin\AppData\Local\Temp\Appfuscated - Cracked by Voxguard\AppFuscator.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4116
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD59bb6ed08af544d3738e60200d2804180
SHA15a40b484ca56b1ce59add4ec283e21d60070be02
SHA25686d49f3894cc3de038abcde03803de8b6f239c237f34930ce5c41ab725c26cb7
SHA51263e6b90457c3e3e6e419e30fe57e35c66e08059611fbe4ffb60d28acd6ee8d9f0ccfa31d7b27e9af44ab13512490f3b7b7f5130df947c5de50a937dcee0a91a5
-
Filesize
2.9MB
MD59bb6ed08af544d3738e60200d2804180
SHA15a40b484ca56b1ce59add4ec283e21d60070be02
SHA25686d49f3894cc3de038abcde03803de8b6f239c237f34930ce5c41ab725c26cb7
SHA51263e6b90457c3e3e6e419e30fe57e35c66e08059611fbe4ffb60d28acd6ee8d9f0ccfa31d7b27e9af44ab13512490f3b7b7f5130df947c5de50a937dcee0a91a5