Reason Labs

appnhost.exe

AppNHost

Vladislavas Jarmalis

The executable appnhost.exe, “Native Host for Apps” has been detected as malware named Virus.Floxif. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘appnhost’.
Publisher:
Mixesoft Project  (signed by Vladislavas Jarmalis)

Product:
AppNHost

Description:
Native Host for Apps

Version:
1.0.5.1

MD5:
e59ef626e6e88c45324459642c8618e5

SHA-1:
236ebfc5aa1171a299112c0ca399d794d48c96d3

SHA-256:
fc9e9b123da42e36d8a0fa46622a7d3819c0c6f64be0b724a6a388096d27f932

Detection:
Virus.Floxif

Risk:
Medium

Analysis date:
12/12/2018 10:35:43 AM UTC  (today)

File size:
519 KB (531,455 bytes)

Product version:
1.0.5.1

Copyright:
Vlad & Serge Strukoff © 2014

Original file name:
appnhost.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\mixesoft\appnhost\appnhost.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
10/23/2013 5:00:00 PM

Valid to:
10/24/2015 4:59:59 PM

Subject:
CN=Vladislavas Jarmalis, O=Vladislavas Jarmalis, STREET=Vilniaus 17, L=Maišiagala, S=Vilniaus raj., PostalCode=14242, C=LT

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
0DB6661483A14E3F940D0119A084C610

File PE Metadata
Compilation timestamp:
8/8/2014 7:19:24 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:7jmd4G3VC1VkL53vjFNJt/ENsvyGjTOE5NiBjvrEH7EiTCKVqh:viVOOHt/ENsKGjP5NErEH7nTm

Header:
4D, 5A, 90, 00, 03, 00, 00, 00, 04, 00, 00, 00, FF, FF, 00, 00, B8, 00, 00, 00, 00, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, F0, 00, 00, 00...
 
[+]

Entry address:
0x41245

Entry point:
E9, C4, 62, FF, FF, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 51, 53, 56, 8B, 35, 38, A2, 45, 00, 57, FF, 35, 6C, B8, 46, 00, FF, D6, FF, 35, 68, B8, 46, 00, 8B, D8, 89, 5D, FC, FF, D6, 8B, F0, 3B, F3, 0F, 82, 81, 00, 00, 00, 8B, FE, 2B, FB, 8D, 47, 04, 83, F8, 04, 72, 75, 53, E8, 8C, B1, 00, 00, 8B, D8, 8D, 47, 04, 59, 3B, D8, 73, 48, B8, 00, 08, 00, 00, 3B, D8, 73, 02, 8B, C3, 03, C3, 3B, C3, 72, 0F, 50, FF, 75, FC, E8, DF, 25, 00, 00, 59, 59, 85, C0, 75, 16, 8D, 43, 10, 3B, C3, 72, 3E, 50, FF, 75, FC, E8...
 
[+]

Entropy:
6.7311

Packer / compiler:
tElock 0.99 - 1.0 private

Characteristics:
0x258

Code size:
353.5 KB (361,984 bytes)

Properties
Integrity level:
8192

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
appnhost

Command:
C:\users\{user}\appdata\local\mixesoft\appnhost\appnhost.exe


There are 7 known variations of appnhost.exe by Mixesoft Project.

Virus.Floxif
appnhost.exe  1.0.5.1  (e81b4de3866e52f016da92c5db7eafad21df5d59)

Virus.Floxif
appnhost.exe  1.0.5.1  (80acffb28a5aa24cd4262eb61dc50f253fb72554)

Virus.Floxif
appnhost.exe  1.0.5.1  (cdee80e2a0d6ba8e0db763dd22f82cc9454a0ac2)

Virus.Floxif
appnhost.exe  1.0.5.1  (21767d6f265f633d982a7c196c106a799189c8e6)

Clean
appnhost.exe  1.0.5.1  (3b1f56e5550f916582060551fff379106f30e6cd)

Clean
appnhost.exe  1.0.5.1  (0be07546ef8e5fabf9214efdde9d9d19831a0130)

Clean
appnhost.exe  1.0.5.1  (13866ebfc914acf00770a662fdbe1ca3deac9274)

Clean
appnhost.msi  (87573e225cee8396712595af04aa75386207f2f0)

Clean
MagicActionsForChrome.exe (by www.chromeactions.com)  (fa966a97b32fe33417941ff809e67efb824bdcd3)

Clean
msi77b2.tmp  (d28ff61dfa6fec362e59f179c1db1330d7729c9c)

Clean
10af21.msi  (d98db7647fac79ef4e1eb9ff546a0286c48f8ce9)

Clean
6f867c.msi  (fab6ba4c7427f82c3919e7a59d84e6afd25479ff)

Clean
1962ba.msi  (80fde5f84f0c746ddf048feae0db8ff2f0af5796)

Clean
1127fa3.msi  (620e1d6503994f2781a152d53ee5af95613c9a7a)

Clean
a0074201.msi  (ac9df4d0adba62142feacc294099227bd90aad96)

Clean
a0044143.msi  (9f121b202774b2a4ff515c5d719048881dd40812)

Clean
130908.msi  (0bb2e625e984b33795304e960bb256e18313a220)

Download Reason Core Security - Powerful anti-malware software