d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

7

AppGate2103v01.exe

windows7-x64

AppGate2103v01.exe

windows10-2004-x64

Sharing

General

Target

AppGate2103v01.exe
Size

4.3MB
Sample

240329-fdk4vaag42
MD5

858bb0a3b4fa6a54586402e3ee117076
SHA1

997c31f043347883ea5ed2323a558b6cc5ea9c8e
SHA256

d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35
SHA512

e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd
SSDEEP

98304:n64KjpOZP7Gf8oC4felvJoch5wET9ItRmeFa6vcuEDAm:nBKlSPaMlxocM8+tE6kuEMm

Score

10^/10

evasion themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

AppGate2103v01.exe

Resource

win7-20240221-en

evasion themida trojan

windows7-x64

8 signatures

300 seconds

Behavioral task

behavioral2

Sample

AppGate2103v01.exe

Resource

win10v2004-20240226-en

evasion themida trojan

windows10-2004-x64

8 signatures

300 seconds

Malware Config

Targets

- Target
  
  AppGate2103v01.exe
- Size
  
  4.3MB
- MD5
  
  858bb0a3b4fa6a54586402e3ee117076
- SHA1
  
  997c31f043347883ea5ed2323a558b6cc5ea9c8e
- SHA256
  
  d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35
- SHA512
  
  e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd
- SSDEEP
  
  98304:n64KjpOZP7Gf8oC4felvJoch5wET9ItRmeFa6vcuEDAm:nBKlSPaMlxocM8+tE6kuEMm
Score

10^/10

evasion themida trojan
- Modifies firewall policy service
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionthemidatrojan

behavioral2

evasionthemidatrojan

© 2018-2025

Terms | Privacy