File name: | Netflix Proxyless Cracker v2.zip |
Full analysis: | https://app.any.run/tasks/829aa2c1-32a7-408f-86af-f81a5c2ce87c |
Verdict: | Malicious activity |
Threats: | Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS. |
Analysis date: | December 06, 2018, 09:06:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 08752E1B0A65C43A2F4C39EC48A576E2 |
SHA1: | 57BECDABDEB39604BD21DC5B2634EAF3F0C12440 |
SHA256: | 2318CEB75044BF57FF5648FC46D6AEF693B1144515DB899AB2E8499B589A6485 |
SSDEEP: | 24576:FQ6bOyf91SAB9E0p+/5Njih+lVqiHnTmKv7gbgleGDC+ObCUwmK:FQ6RF9aA+bdThzgb58C+OL8 |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Netflix Proxyless Cracker v2.exe |
---|---|
ZipUncompressedSize: | 1552896 |
ZipCompressedSize: | 1215146 |
ZipCRC: | 0x08ceca4b |
ZipModifyDate: | 2018:12:06 10:32:25 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2952 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Netflix Proxyless Cracker v2.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
3232 | "C:\Users\admin\Desktop\Netflix Proxyless Cracker v2.exe" | C:\Users\admin\Desktop\Netflix Proxyless Cracker v2.exe | explorer.exe | ||||||||||||
User: admin Company: System Integrity Level: HIGH Description: System Exit code: 0 Version: 11.7.3.1 Modules
| |||||||||||||||
1328 | "C:\Users\admin\Desktop\Netflix Proxyless Cracker v2.exe" | C:\Users\admin\Desktop\Netflix Proxyless Cracker v2.exe | Netflix Proxyless Cracker v2.exe | ||||||||||||
User: admin Company: System Integrity Level: HIGH Description: System Exit code: 0 Version: 11.7.3.1 Modules
| |||||||||||||||
3588 | "C:\Users\admin\AppData\Local\Temp\kkkk.exe" 0 | C:\Users\admin\AppData\Local\Temp\kkkk.exe | Netflix Proxyless Cracker v2.exe | ||||||||||||
User: admin Company: System Integrity Level: HIGH Description: System Exit code: 0 Version: 11.7.3.1 Modules
| |||||||||||||||
3756 | "C:\Users\admin\AppData\Local\Temp\Netflix Proxyless Cracker v2.exe" 0 | C:\Users\admin\AppData\Local\Temp\Netflix Proxyless Cracker v2.exe | — | Netflix Proxyless Cracker v2.exe | |||||||||||
User: admin Company: Microsoft Integrity Level: HIGH Description: Netflix Proxyless Cracker v2 Version: 1.0.0.0 Modules
| |||||||||||||||
3248 | "C:\Users\admin\AppData\Local\Temp\kkkk.exe" | C:\Users\admin\AppData\Local\Temp\kkkk.exe | kkkk.exe | ||||||||||||
User: admin Company: System Integrity Level: HIGH Description: System Exit code: 0 Version: 11.7.3.1 Modules
| |||||||||||||||
2416 | "C:\Users\admin\AppData\Roaming\Microsoft\Network\svchost.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Network\svchost.exe | kkkk.exe | ||||||||||||
User: admin Company: System Integrity Level: HIGH Description: System Exit code: 0 Version: 11.7.3.1 Modules
| |||||||||||||||
2412 | "C:\Users\admin\AppData\Roaming\Microsoft\Network\svchost.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Network\svchost.exe | svchost.exe | ||||||||||||
User: admin Company: System Integrity Level: HIGH Description: System Version: 11.7.3.1 Modules
|
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Netflix Proxyless Cracker v2.zip | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\General |
Operation: | write | Name: | LastFolder |
Value: C:\Users\admin\AppData\Local\Temp |
PID | Process | Filename | Type | |
---|---|---|---|---|
2952 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2952.22826\Netflix Proxyless Cracker v2.exe | — | |
MD5:— | SHA256:— | |||
2412 | svchost.exe | C:\Users\admin\AppData\Roaming\Microsoft\Network\Settings.ini | binary | |
MD5:9DC45CB15A6D139CD3E401D48BA6BD32 | SHA256:B5B62FC825E406C24929FE7DE9459A4E459D6A8D9B7F2BE48EFA505B09CF3B51 | |||
3248 | kkkk.exe | C:\Users\admin\AppData\Roaming\Microsoft\Network\svchost.exe | executable | |
MD5:AC45D433F970D0F2373A9C055E350966 | SHA256:027BF5444612AB37390FE1E8A8BA2306AF21E72A0DB76AE5F7C43DA249807FB9 | |||
1328 | Netflix Proxyless Cracker v2.exe | C:\Users\admin\AppData\Local\Temp\Netflix Proxyless Cracker v2.exe | executable | |
MD5:4CE028EF32E2826256D4A089B23D7605 | SHA256:6A02EDA2F1251A2241E3F812F89E76982E4C275F662212A145531F102E9F0756 | |||
1328 | Netflix Proxyless Cracker v2.exe | C:\Users\admin\AppData\Local\Temp\kkkk.exe | executable | |
MD5:AC45D433F970D0F2373A9C055E350966 | SHA256:027BF5444612AB37390FE1E8A8BA2306AF21E72A0DB76AE5F7C43DA249807FB9 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2412 | svchost.exe | 92.222.72.160:8999 | playhardgopro.life | OVH SAS | FR | malicious |
Domain | IP | Reputation |
---|---|---|
playhardgopro.life |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2412 | svchost.exe | A Network Trojan was detected | SC SPYWARE Spyware Weecnaw Win32 |
2412 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Netwire.RAT |
2412 | svchost.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
2412 | svchost.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
2412 | svchost.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
2412 | svchost.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
2412 | svchost.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
2412 | svchost.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
2412 | svchost.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
Process | Message |
---|---|
Netflix Proxyless Cracker v2.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
Netflix Proxyless Cracker v2.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
Netflix Proxyless Cracker v2.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
Netflix Proxyless Cracker v2.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
Netflix Proxyless Cracker v2.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
Netflix Proxyless Cracker v2.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
Netflix Proxyless Cracker v2.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
Netflix Proxyless Cracker v2.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
kkkk.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
kkkk.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|