{
	"id": "ef60f6d0-54ed-4017-8253-d663a96df421",
	"created_at": "2026-04-06T00:06:55.494079Z",
	"updated_at": "2026-04-10T03:23:18.117369Z",
	"deleted_at": null,
	"sha1_hash": "a2de863438e744f95b7c11f7e1d6bb97576020d1",
	"title": "Advanced IP Scanner: the preferred scanner in the A(P)T toolbox",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 414086,
	"plain_text": "Advanced IP Scanner: the preferred scanner in the A(P)T toolbox\r\nBy Krijn de Mik\r\nPublished: 2021-10-22 · Archived: 2026-04-05 15:29:33 UTC\r\n1. Introduction\r\nHunt \u0026 Hackett has been working on a wide variety of targeted ransomware cases. During these targeted\r\nransomware cases, ‘Advanced IP Scanner’ (AIS)1 was regularly used as reconnaissance tool for Active Scanning\r\n(T1595) and Network Service Scanning (T1046). This has not only been observed by Hunt \u0026 Hackett, but also by\r\nother incident response parties.\r\nGroups that have (had) used Advanced IP Scanner include:\r\nConti2\r\nDarkside/UNC24653\r\nEgregor4\r\nHades/ Evilcorp5\r\nREvil6\r\nRyuk/ UNC18787\r\nUNC24477\r\nUNC Iranian actor8\r\nDharma9\r\nThis small write-up focuses on some of the forensic traces left by AIS that Hunt \u0026 Hackett observed during\r\nIncident Response cases. The artefacts might be useful during an investigation, and can shine some (minor) light\r\non threat actors’ activities. Furthermore, this blogpost provides some pointers related to detecting Advanced IP\r\nScanner.\r\n2. Advanced IP Scanner\r\nAdvanced IP Scanner (AIS) is freely available online1 and can be executed as an installer and as a portable\r\nversion. Both have been used by threat actors. After the installation / execution of AIS, the end user is presented\r\nwith an overview as shown in Figure 1.\r\nhttps://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox\r\nPage 1 of 12\n\nFigure 1 - GUI of Advanced IP Scanner.\r\nAIS is a simple and user-friendly IP scanner, which provides the end user with a concise overview of the systems\r\nfound in the network. From a high-level perspective, AIS provides the user with the following functionality:\r\n1. IP scanning: scan the given range for systems that are alive, or dead;\r\n2. Tools: provide functionality to ping an IP, perform a Tracert, or connect with Telnet / SSH;\r\n3. Remote connections: connect to the corresponding IP address via HTTP, HTTPS, FTP, RDP, or RADMIN\r\n(only works if RADMIN is installed).\r\n4. (Re)boot/ Wake-On-Lan: the user can boot / reboot a system if the user is authorized to do so, or can send\r\nWake-On-Lan (WOL) packages to a system. If enabled, this provides the user with functionality to\r\nremotely boot a system.\r\nThe fact that there is a portable version of Advanced IP Scanner, that it has a GUI and that the tool supports a\r\nvariety of ways to interact with identified systems probably contributes to it popularity.\r\n3. Forensic traces\r\nAIS leaves traces on a host system when it is executed. This section describes the traces that are created during\r\nusage of the AIS tool and more specifically, the Windows registry keys that are being created. Do note that for\r\nboth the portable version as well as the installer version, the same traces are created in the Windows registry.\r\nhttps://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox\r\nPage 2 of 12\n\n3.1 AIS registry keys\r\nAfter the installation of AIS, keys and subkeys are created in the HKEY_USERS hive of the user under which\r\naccount AIS was installed. Data is more specifically stored at the following location:\r\nComputer\\HKEY_USERS\\\u003cSID\u003e\\SOFTWARE\\famatech\\advanced_ip_scanner\r\nThe mentioned registry keys are created, by both the installer version of AIS and the portable version, after the\r\nfirst usage of the application and subsequently some (sub)keys are updated after using AIS. While looking at it\r\ngraphically, multiple keys and subkeys are created as shown in Figure 2. The most relevant traces from a forensic\r\nperspective are either stored under the ‘ advanced_ip_scanner ’, or the ‘ State ’ key.\r\nFigure 2 – Overview of keys created with regards to AIS.\r\n3.2 The ‘advanced_ip_scanner’ keys and subkeys\r\nIf we look at the subkeys of the advanced_ip_scanner key, we are presented with the keys as shown in Table 2.\r\nThis table shows the name and type of the subkeys, together with the value (data) of the subkey, a comment with\r\nwhat the subkey represents and what the function is within AIS. Especially the locale subkey might be of\r\nrelevance, since this could potentially reveal something about the background of the threat actor, as well as the\r\nlocale_timestamp  key since this gives an indication of when the application has been used for the first time.\r\nName Type Data Comment\r\nlocale REG_SZ en_us\r\nConcerns the language settings of AIS as set by the\r\nuser.\r\nlocale_timestamp REG_SZ 1629953831432 The first time the application has been started in\r\nepoch time, which translates to UTC +0. After\r\nstarting the application for the first time, Hunt \u0026\r\nhttps://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox\r\nPage 3 of 12\n\nHackett hasn’t observed any updates to this value in\r\nsubsequent restarts of the application.\r\nshow_alive REG_SZ true\r\nIndicates whether found hosts, which are probably\r\nreachable, with the status ‘alive’ should be\r\nrepresented in the GUI. This is an option in the\r\n‘View’ menu.\r\nshow_dead REG_SZ true\r\nIndicates whether found hosts, which aren’t\r\nreachable, with the status ‘alive’ should be\r\nrepresented in the GUI. This is an option in the\r\n‘View’ menu.\r\nshow_unknown REG_SZ false\r\nIndicates whether found hosts with the status\r\n‘unknown’ should be represented in the GUI. This is\r\nan option in the ‘View’ menu.\r\nTable 2: Overview of the AIS registry key ‘advanced_ip_scanner’ under HKEY_USERS hive.\r\n3.3 The ‘advanced_ip_scanner\\State’ keys and subkeys\r\nA variety of subkeys are listed under the key advanced_ip_scanner/State , as shown in Table 3. This table shows\r\nthe name of subkeys together with the type of subkeys, the value (data) of the subkey, a comment with what the\r\nsubkey represents and what the function is within AIS. All the keys, except for LastRangeUsed  are created upon\r\nthe first time the application is started. The key LastRangeUsed  is created upon the first time a scan is performed\r\nwith AIS.\r\nThe three registry keys IpRangesMruList , LastRangeUsed and SearchMruList under the key\r\nadvanced_ip_scanner\\State are especially interesting, as they could be of relevance during an IR assignment.\r\nLastRangeUsed : this key represents the last scan that is being performed and shows the range that has\r\nbeen scanned.\r\nIpRangesMruList : this key represents all ranges scanned by AIS, including the frequency. Every range\r\nscanned has a prefix of [digit]-[digit] , followed by [start IP address]-[IP range] . The first digit\r\nof the prefix represents the number of times a range has been scanned, which will be increased after every\r\nsubsequent scan. The range 192.168.227.1-254  in Table 3 has for example been scanned five times. It’s\r\nunknown what the second digit represents, since this digit remained ‘static’ throughout the different tests\r\nperformed. The scanned IP-range is stored in memory while the application is still running. Upon closure\r\nof the application, the data is written from a buffer in memory to the registry. The order in which the\r\nscanned IP ranges are stored is unknown.\r\nhttps://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox\r\nPage 4 of 12\n\nSearchMruList : This key contains an overview of all IP-addresses searched for by the user. These are\r\nadded upon closure of the AIS application. Besides the last searched IP address, also other historical\r\nsearches are saved here. Do note that a similar prefix is added to IP address, just like for the key\r\nIpRangesMruList . However, it’s unknown what this prefix represents.\r\nName Type Data Comment\r\nIpRangesMruList REG_SZ\r\n5-1\r\n192.168.227.1-254\r\n2-1\r\n192.168.250.1-254\r\n1-1\r\n192.168.116.1-254\r\n1-1\r\n192.168.228.1-254\r\n1-1\r\n192.168.240.1-254\r\n1-1\r\n192.168.230.1-254\r\nAll ranges scanned by the tool are\r\nstored in this subkey. Additionally, the\r\nfirst digit of the prefix indicates how\r\nfrequent the range has been scanned.\r\nLastActiveTab REG_DWORD 0x00000000 (0)\r\nThe tab (either ‘results’ or ‘favorites’)\r\nthat was active upon closure of AIS\r\nprocess.\r\nLastRangeUsed REG_SZ 192.168.226.1-254\r\nThis key is created after executing the\r\nfirst scan.\r\nlock_toolbars REG_SZ true\r\nA menu item that could be selected to\r\nlock the toolbars\r\nresults_col_size_init REG_SZ true Unknown what this key represents.\r\nSearchMruList REG_SZ (empty) The IP-addresses searched for via the\r\nGUI search field. A prefix is added to\r\nhttps://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox\r\nPage 5 of 12\n\nthe searched IP represented as\r\n[digit]-[digit] . It’s unknown to\r\nHunt \u0026 Hackett what the prefix\r\nrepresents.\r\nwindow_state REG_BINARY\r\n40 00 42 00 79 00\r\n74 00 64 00 41 00\r\n…\r\nHolds the state (dimensions) of the\r\napplication windows upon closure of\r\nthe application.\r\nTable 3 - Overview of the AIS registry State key under HKEY_USERS hive.\r\n4. Detection\r\nDetection of the Advanced IP Scanner process is trivial. Here at Hunt \u0026 Hackett, we also try to come up with\r\nbetter, behavioral detection methods that do not rely on static signatures for individual applications.\r\n4.1 Port scanning detection using Chronicle\r\nDetection should not only focus on the characteristics of individual pieces of software, but also on behavior of\r\napplications. This means we also try to identify internal port scanning itself, and not merely the execution of\r\nAdvanced IP Scanner. As part of our detection engineering efforts, we experiment with custom YARA-L10 rules\r\nfor Chronicle11 to detect internal port scans.\r\nExperimenting with horizontal port scanning detection\r\nInternal port scanning of entire ranges results in a large number of network connections from the scanning\r\nmachine to other machines in a corporate network. We can use build-in functionality of Chronicle to experiment\r\nwith YARA-L rules capable of detecting internal scanning behavior.\r\nIn large enough networks, we can attempt to detect hosts that have performed a large number of connection\r\nattempts to other internal machines, which is indicative of internal port scans.\r\nThe experimental YARA-L rule depicted in Figure 3 for example triggers when a machine has made more than\r\n100 internal connections or connection attempts within 10 minutes. Real-world testing shows that this approach\r\ncan detect (some) internal port scans, though heavy tuning is required to filter out benign machines / processes that\r\nperform internal network discovery for legitimate reasons.\r\nhttps://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox\r\nPage 6 of 12\n\nFigure 3 - Experimental YARA-L rule for detecting internal port scans\r\nLimitations of detection attempts\r\nWith some filtering effort, we can use Chronicle to detect internal port scans at customers, though this approach is\r\nimpractical and requires heavy tuning. Additionally, our detection attempt is not foolproof and can be\r\ncircumvented by a determined attacker.\r\nSome methods of bypassing this detection attempt include:\r\nSlow scanning to circumvent any time-based detection thresholds.\r\nScanning of small IP blocks at a time to bypass any count-based thresholds.\r\nhttps://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox\r\nPage 7 of 12\n\n4.2 Port scanning detection using Canary tokens\r\nIn the previous section, we concluded that it is not feasible to detect all internal port scans using only network\r\nconnections data and threshold-based detection rules. To enhance detection, we can place canary tokens at\r\nstrategic places in an organization’s network. Whenever a canary token is scanned, the cyber defense center will\r\nreceive an alert and an analyst can investigate why a canary token was triggered.\r\nWhenever an alert is deemed malicious, this indicates an attacker is performing active reconnaissance in an\r\norganization’s network. Though, whenever a canary token is triggered, this does not automatically mean a network\r\nhas been breached. Canary tokens can also be triggered by benign activities, including:\r\nMisspelled IP addresses or server names\r\nApplications that (for various reasons) contain network discovery functionality\r\nSystem administrators or other users performing network scans for legitimate reasons\r\n5. Detection rules\r\nThis section contains an overview of different rules in both Carbon Black as well as Yara-L format.\r\nAdditionally, you can find an already existing Sigma rule in the Sigma rule repository\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_advanced_ip_scanner.yml .\r\nFor completeness the Sigma rules is listed in this section as well.\r\n5.1 Sigma\r\naction: global\r\ntitle: Advanced IP Scanner\r\nstatus: experimental\r\ndescription: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware\r\ngroups.\r\nreferences:\r\n - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/\r\n - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\n - https://labs.f-secure.com/blog/prelude-to-ransomware-systembc\r\n - https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf\r\n - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer\r\nhttps://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox\r\nPage 8 of 12\n\nauthor: '@ROxPinTeddy'\r\ndate: 2020/05/12\r\nmodified: 2021/05/11\r\ntags:\r\n - attack.discovery\r\n - attack.t1046\r\nfalsepositives:\r\n - Legitimate administrative use\r\nlevel: medium\r\n---\r\nid: bef37fa2-f205-4a7b-b484-0759bfd5f86f\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n Image|contains: '\\advanced_ip_scanner'\r\n condition: selection\r\n---\r\nid: fed85bf9-e075-4280-9159-fbe8a023d6fa\r\nlogsource:\r\n category: file_event\r\n product: windows\r\ndetection:\r\n selection:\r\n TargetFilename|contains: '\\AppData\\Local\\Temp\\Advanced IP Scanner 2'\r\nhttps://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox\r\nPage 9 of 12\n\ncondition: selection\r\n5.2 CarbonBlack\r\nAction CarbonBlack query\r\nAdvanced IP\r\nScanner\r\nexecution\r\n(process_name:advanced_ip_scanner.exe OR process_publisher:\"Famatech Corp.\") OR\r\n(process_file_description:\"Advanced IP Scanner\" OR\r\nprocess_original_filename:advanced_ip_scanner.exe OR\r\nprocess_internal_name:\"Advanced IP Scanner\" OR process_product_name:\"Advanced IP\r\nScanner\")\r\nAdvanced IP\r\nScanner\r\nregistry\r\naccess\r\nregmod_name:*\\\\famatech\\\\advanced_ip_scanner\\\\*\r\n5.3 Chronicle\r\nrule advanced_ip_scanner_execution {\r\n meta:\r\n author = \"Hunt \u0026 Hackett\"\r\n description = \"Detects execution of Advanced IP Scanner\"\r\n events:\r\n $event.metadata.event_type = \"PROCESS_LAUNCH\"\r\n   ($event.principal.process.file.full_path = /Advanced_IP_Scanner/ nocase or\r\n $event.principal.process.command_line = /Advanced_IP_Scanner/ nocase or\r\n $event.target.process.file.full_path = /Advanced_IP_Scanner/ nocase or\r\n $event.target.process.command_line = /Advanced_IP_Scanner/ nocase)\r\n condition:\r\n $event\r\nhttps://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox\r\nPage 10 of 12\n\n}\r\nrule portscan_internal_horizontal {\r\n meta:\r\n author = \"Hunt \u0026 Hackett\"\r\n description = \"Detects internal horizontal portscans (experimental)\"\r\n events:\r\n $e.metadata.event_type = \"NETWORK_CONNECTION\"\r\n $e.principal.ip = $src_ip\r\n  $e.principal.port = $src_port\r\n  $e.target.ip = $dest_ip\r\n  $e.target.port = $dest_port\r\n // Filter on internal source IPs\r\n  (net.ip_in_range_cidr($e.principal.ip, \"10.0.0.0/8\") or\r\n   net.ip_in_range_cidr($e.principal.ip, \"172.16.0.0/12\") or\r\n   net.ip_in_range_cidr($e.principal.ip, \"192.168.0.0/16\"))\r\n   // Filter on internal destination IPs\r\n (net.ip_in_range_cidr($e.target.ip, \"10.0.0.0/8\") or\r\n net.ip_in_range_cidr($e.target.ip, \"172.16.0.0/12\") or\r\n net.ip_in_range_cidr($e.target.ip, \"192.168.0.0/16\"))\r\n // Source port should be an ephemeral port\r\n $src_port \u003e 20000\r\n   // Exclusions for tuning\r\n // not net.ip_in_range_cidr($e.principal.ip, \"__IP_RANGE__\")\r\n match:\r\n   // Look for connections from source\r\n  // in time period of 10 minutes\r\n $src_ip over 10m\r\n condition:\r\n // Threshold on destination IPs\r\n #dest_ip \u003e= 100\r\n}\r\nSources\r\nhttps://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox\r\nPage 11 of 12\n\n1. https://www.advanced-ip-scanner.com/\r\n2. Based on H2-CERT findings during IR assignment\r\n3. https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\r\n4. https://www.ic3.gov/Media/News/2021/210108.pdf\r\n5. https://www.bankinfosecurity.com/hades-ransomware-has-targeted-7-large-companies-a-16977\r\n6. https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling\r\n7. https://www.logpoint.com/en/blog/detecting-fivehands-ransomware-at-different-stages-of-the-kill-chain/\r\n8. https://us-cert.cisa.gov/ncas/alerts/aa20-259a\r\n9. https://www.crowdstrike.com/blog/targeted-dharma-ransomware-intrusions-exhibit-consistent-techniques/\r\n10. https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax\r\n11. https://chronicle.security/\r\nSource: https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox\r\nhttps://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox"
	],
	"report_names": [
		"advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox"
	],
	"threat_actors": [
		{
			"id": "8670f370-1865-4264-9a1b-0dfe7617c329",
			"created_at": "2022-10-25T16:07:23.69953Z",
			"updated_at": "2026-04-10T02:00:04.716126Z",
			"deleted_at": null,
			"main_name": "Hades",
			"aliases": [
				"Operation TrickyMouse"
			],
			"source_name": "ETDA:Hades",
			"tools": [
				"Brave Prince",
				"Gold Dragon",
				"GoldDragon",
				"Lovexxx",
				"Olympic Destroyer",
				"Running RAT",
				"RunningRAT",
				"SOURGRAPE",
				"running_rat"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434015,
	"ts_updated_at": 1775791398,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a2de863438e744f95b7c11f7e1d6bb97576020d1.pdf",
		"text": "https://archive.orkl.eu/a2de863438e744f95b7c11f7e1d6bb97576020d1.txt",
		"img": "https://archive.orkl.eu/a2de863438e744f95b7c11f7e1d6bb97576020d1.jpg"
	}
}