MiTec Registry Recovery

Malware Dynamic Analysis with MiTec Windows Registry Recovery

MiTec Windows Registry Recovery is an application that allows to read files containing Windows 9x,NT,2K,XP,2K3,7,8 and 10 registry hives. It extracts many useful information about configuration and windows installation settings of host machine.


Malware Dynamic Analysis with ApateDNS

ApateDNS is a tool that can be used for controlling DNS responses through an easy-to-use GUI. This tool can let you spoof DNS responses to a user-specified IP address by listening on UDP port 53 on the local machine.


Malware Dynamic Analysis with FakeNet-NG

FakeNet-NG is a tool that can be used as network simulator. This tool can let you observe the network activity of the sample you are analyzing that is connecting outside your isolated environment. It also logs a pcap file after and can be found inside the FakeNet directory.

Using FakeNet as a network simulator can give us rich information. It also generates a pcap file inside the FakeNet directory when the executable is terminated.

In our sample, FakeNet logs the http communication of a sample connecting outside the environment, and this artifact can be used as a network based IOC.


Malware Dynamic Analysis with GMER

GMER is a rootkit detection tool let you view the hooking executable and the hooked function inside the system.

GMER can give us details about the name of the executable that performs the hooking and the module it hooks.

In our sample, GMER detects a Win32.AgentTesla.exe[2820] hooks user32.dll’s GetKeyboardState API.

Agent Tesla is a known variant of information-stealing malware.


Dynamic Analysis with RegShot

RegShot is a tool that let you take a clean snapshot of a registry that can be used later for comparison after the malware sample is executed. This can reveal information about the changes in the registry, particularly when the malware modifies registry keys to persist on the system.

Ring3 API Hooker

Malware Dynamic Analysis with Ring3 API Hook Scanner

Ring3 API Hook Scanner by that is gmer a like and detects API Hooking inside the kernel. This tool logs the executable responsible for hooking and the the API that is being hooked.

The Ring3 API Hook Scanner has a set of categories.

One is the one who owns or hooks the API module.

The other is the API name.

In our case, the image below shows how Ring3 detects Win32.AgentTesla.exe hooks DeleteFileW API.