download:

file

Full analysis: https://app.any.run/tasks/6361a12c-e524-4fb2-b200-036ddbb48ca9
Verdict: Malicious activity
Threats:

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS.

Malware Trends Tracker     >>>
Analysis date: July 17, 2019, 13:11:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
netwire
trojan
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

621E733F92198BA18E4F0318887A49AB

SHA1:

342D2D74EAEF55D70841E67F6C87BE990EDF2D1E

SHA256:

0F0E2733E42882C739129CEC49F6FC12380D85031A24C6A12BD737EC7945B29A

SSDEEP:

3072:2QWUF5g7eoDAOlwP7EMXZeWAP8PXttxv11E+HYH9/KbfXlempaDW:rW+eioEOS7ZXsjEP9txvpyNKbgiay

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • proof of payment#.exe (PID: 916)
      • proof of payment#.exe (PID: 3820)
      • Host.exe (PID: 1736)
      • Host.exe (PID: 3908)
      • proof of payment#.exe (PID: 3224)
      • proof of payment#.exe (PID: 3156)
      • proof of payment#.exe (PID: 2732)
      • proof of payment#.exe (PID: 2856)
      • proof of payment#.exe (PID: 4004)
      • proof of payment#.exe (PID: 3028)
      • proof of payment#.exe (PID: 3568)
      • proof of payment#.exe (PID: 680)
      • proof of payment#.exe (PID: 3976)
      • proof of payment#.exe (PID: 3676)

    • Connects to CnC server

      • Host.exe (PID: 3908)

    • Changes the autorun value in the registry

      • Host.exe (PID: 3908)

    • NETWIRE was detected

      • Host.exe (PID: 3908)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3760)
      • proof of payment#.exe (PID: 916)

    • Application launched itself

      • proof of payment#.exe (PID: 680)
      • Host.exe (PID: 1736)
      • proof of payment#.exe (PID: 3224)
      • proof of payment#.exe (PID: 2856)
      • proof of payment#.exe (PID: 3156)
      • proof of payment#.exe (PID: 4004)
      • proof of payment#.exe (PID: 3820)

    • Creates files in the user directory

      • proof of payment#.exe (PID: 916)

    • Starts itself from another location

      • proof of payment#.exe (PID: 916)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
15
Malicious processes
5
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start drop and start drop and start start drop and start winrar.exe proof of payment#.exe no specs proof of payment#.exe no specs proof of payment#.exe proof of payment#.exe no specs host.exe no specs #NETWIRE host.exe proof of payment#.exe no specs proof of payment#.exe no specs proof of payment#.exe no specs proof of payment#.exe no specs proof of payment#.exe no specs proof of payment#.exe no specs proof of payment#.exe no specs proof of payment#.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
680"C:\Users\admin\AppData\Local\Temp\Rar$EXa3760.14978\proof of payment#.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3760.14978\proof of payment#.exeWinRAR.exe
User:
admin
Company:
weirdwoman
Integrity Level:
MEDIUM
Description:
Jokul
Exit code:
0
Version:
1.09.0008
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3760.14978\proof of payment#.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
916C:\Users\admin\AppData\Local\Temp\Rar$EXa3760.14581\proof of payment#.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3760.14581\proof of payment#.exe
proof of payment#.exe
User:
admin
Company:
weirdwoman
Integrity Level:
MEDIUM
Description:
Jokul
Exit code:
0
Version:
1.09.0008
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3760.14581\proof of payment#.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
1736"C:\Users\admin\AppData\Roaming\Install\Host.exe"C:\Users\admin\AppData\Roaming\Install\Host.exeproof of payment#.exe
User:
admin
Company:
weirdwoman
Integrity Level:
MEDIUM
Description:
Jokul
Exit code:
0
Version:
1.09.0008
Modules
Images
c:\users\admin\appdata\roaming\install\host.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2732C:\Users\admin\AppData\Local\Temp\Rar$EXa3760.19564\proof of payment#.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3760.19564\proof of payment#.exeproof of payment#.exe
User:
admin
Company:
weirdwoman
Integrity Level:
MEDIUM
Description:
Jokul
Exit code:
0
Version:
1.09.0008
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3760.19564\proof of payment#.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2856"C:\Users\admin\AppData\Local\Temp\Rar$EXa3760.19564\proof of payment#.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3760.19564\proof of payment#.exeWinRAR.exe
User:
admin
Company:
weirdwoman
Integrity Level:
MEDIUM
Description:
Jokul
Exit code:
0
Version:
1.09.0008
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3760.19564\proof of payment#.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3028C:\Users\admin\AppData\Local\Temp\Rar$EXa3760.24436\proof of payment#.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3760.24436\proof of payment#.exeproof of payment#.exe
User:
admin
Company:
weirdwoman
Integrity Level:
MEDIUM
Description:
Jokul
Exit code:
0
Version:
1.09.0008
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3760.24436\proof of payment#.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3156"C:\Users\admin\AppData\Local\Temp\Rar$EXa3760.23809\proof of payment#.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3760.23809\proof of payment#.exeWinRAR.exe
User:
admin
Company:
weirdwoman
Integrity Level:
MEDIUM
Description:
Jokul
Exit code:
0
Version:
1.09.0008
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3760.23809\proof of payment#.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3224"C:\Users\admin\AppData\Local\Temp\Rar$EXa3760.18148\proof of payment#.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3760.18148\proof of payment#.exeWinRAR.exe
User:
admin
Company:
weirdwoman
Integrity Level:
MEDIUM
Description:
Jokul
Exit code:
0
Version:
1.09.0008
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3760.18148\proof of payment#.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3568C:\Users\admin\AppData\Local\Temp\Rar$EXa3760.23809\proof of payment#.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3760.23809\proof of payment#.exeproof of payment#.exe
User:
admin
Company:
weirdwoman
Integrity Level:
MEDIUM
Description:
Jokul
Exit code:
0
Version:
1.09.0008
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3760.23809\proof of payment#.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3676C:\Users\admin\AppData\Local\Temp\Rar$EXa3760.14978\proof of payment#.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3760.14978\proof of payment#.exeproof of payment#.exe
User:
admin
Company:
weirdwoman
Integrity Level:
MEDIUM
Description:
Jokul
Exit code:
0
Version:
1.09.0008
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3760.14978\proof of payment#.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
454
Read events
438
Write events
16
Delete events
0

Modification events

(PID) Process:(3760) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3760) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3760) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3760) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\file.7z
(PID) Process:(3760) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3760) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3760) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3760) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3760) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3760) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
9
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3760WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3760.23809\proof of payment#.exeexecutable
MD5:
SHA256:
3760WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3760.18148\proof of payment#.exeexecutable
MD5:
SHA256:
3760WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3760.14978\proof of payment#.exeexecutable
MD5:
SHA256:
3760WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3760.18398\proof of payment#.exeexecutable
MD5:
SHA256:
3760WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3760.19564\proof of payment#.exeexecutable
MD5:
SHA256:
3760WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3760.24436\proof of payment#.exeexecutable
MD5:
SHA256:
3760WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3760.14581\proof of payment#.exeexecutable
MD5:
SHA256:
3760WinRAR.exeC:\Users\admin\AppData\Local\Temp\file\proof of payment#.exeexecutable
MD5:
SHA256:
916proof of payment#.exeC:\Users\admin\AppData\Roaming\Install\Host.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
4

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3908
Host.exe
91.193.75.66:2803
onelove03.duckdns.org
WorldStream B.V.
RS
malicious

DNS requests

Domain
IP
Reputation
onelove03.duckdns.org
  • 91.193.75.66
malicious

Threats

PID
Process
Class
Message
1052
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3908
Host.exe
A Network Trojan was detected
MALWARE [PTsecurity] Netwire.RAT
2 ETPRO signatures available at the full report
No debug info