analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Netflix Proxyless Cracker v2.zip

Full analysis: https://app.any.run/tasks/829aa2c1-32a7-408f-86af-f81a5c2ce87c
Verdict: Malicious activity
Threats:

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS.

Analysis date: December 06, 2018, 09:06:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
netwire
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

08752E1B0A65C43A2F4C39EC48A576E2

SHA1:

57BECDABDEB39604BD21DC5B2634EAF3F0C12440

SHA256:

2318CEB75044BF57FF5648FC46D6AEF693B1144515DB899AB2E8499B589A6485

SSDEEP:

24576:FQ6bOyf91SAB9E0p+/5Njih+lVqiHnTmKv7gbgleGDC+ObCUwmK:FQ6RF9aA+bdThzgb58C+OL8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Netflix Proxyless Cracker v2.exe (PID: 3232)
      • Netflix Proxyless Cracker v2.exe (PID: 1328)
      • kkkk.exe (PID: 3248)
      • svchost.exe (PID: 2416)
      • Netflix Proxyless Cracker v2.exe (PID: 3756)
      • kkkk.exe (PID: 3588)
      • svchost.exe (PID: 2412)
    • NETWIRE was detected

      • svchost.exe (PID: 2412)
    • Changes the autorun value in the registry

      • svchost.exe (PID: 2412)
    • Connects to CnC server

      • svchost.exe (PID: 2412)
    • Actions looks like stealing of personal data

      • svchost.exe (PID: 2412)
  • SUSPICIOUS

    • Application launched itself

      • Netflix Proxyless Cracker v2.exe (PID: 3232)
      • kkkk.exe (PID: 3588)
      • svchost.exe (PID: 2416)
    • Executable content was dropped or overwritten

      • Netflix Proxyless Cracker v2.exe (PID: 1328)
      • kkkk.exe (PID: 3248)
    • Starts itself from another location

      • kkkk.exe (PID: 3248)
    • Creates executable files which already exist in Windows

      • kkkk.exe (PID: 3248)
    • Creates files in the user directory

      • kkkk.exe (PID: 3248)
      • svchost.exe (PID: 2412)
    • Connects to unusual port

      • svchost.exe (PID: 2412)
    • Loads DLL from Mozilla Firefox

      • svchost.exe (PID: 2412)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • Netflix Proxyless Cracker v2.exe (PID: 1328)
      • kkkk.exe (PID: 3248)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Netflix Proxyless Cracker v2.exe
ZipUncompressedSize: 1552896
ZipCompressedSize: 1215146
ZipCRC: 0x08ceca4b
ZipModifyDate: 2018:12:06 10:32:25
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
8
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winrar.exe no specs netflix proxyless cracker v2.exe netflix proxyless cracker v2.exe kkkk.exe netflix proxyless cracker v2.exe no specs kkkk.exe svchost.exe #NETWIRE svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2952"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Netflix Proxyless Cracker v2.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3232"C:\Users\admin\Desktop\Netflix Proxyless Cracker v2.exe" C:\Users\admin\Desktop\Netflix Proxyless Cracker v2.exe
explorer.exe
User:
admin
Company:
System
Integrity Level:
HIGH
Description:
System
Exit code:
0
Version:
11.7.3.1
Modules
Images
c:\users\admin\desktop\netflix proxyless cracker v2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1328"C:\Users\admin\Desktop\Netflix Proxyless Cracker v2.exe"C:\Users\admin\Desktop\Netflix Proxyless Cracker v2.exe
Netflix Proxyless Cracker v2.exe
User:
admin
Company:
System
Integrity Level:
HIGH
Description:
System
Exit code:
0
Version:
11.7.3.1
Modules
Images
c:\users\admin\desktop\netflix proxyless cracker v2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3588"C:\Users\admin\AppData\Local\Temp\kkkk.exe" 0C:\Users\admin\AppData\Local\Temp\kkkk.exe
Netflix Proxyless Cracker v2.exe
User:
admin
Company:
System
Integrity Level:
HIGH
Description:
System
Exit code:
0
Version:
11.7.3.1
Modules
Images
c:\users\admin\appdata\local\temp\kkkk.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3756"C:\Users\admin\AppData\Local\Temp\Netflix Proxyless Cracker v2.exe" 0C:\Users\admin\AppData\Local\Temp\Netflix Proxyless Cracker v2.exeNetflix Proxyless Cracker v2.exe
User:
admin
Company:
Microsoft
Integrity Level:
HIGH
Description:
Netflix Proxyless Cracker v2
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\netflix proxyless cracker v2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3248"C:\Users\admin\AppData\Local\Temp\kkkk.exe"C:\Users\admin\AppData\Local\Temp\kkkk.exe
kkkk.exe
User:
admin
Company:
System
Integrity Level:
HIGH
Description:
System
Exit code:
0
Version:
11.7.3.1
Modules
Images
c:\users\admin\appdata\local\temp\kkkk.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
2416"C:\Users\admin\AppData\Roaming\Microsoft\Network\svchost.exe"C:\Users\admin\AppData\Roaming\Microsoft\Network\svchost.exe
kkkk.exe
User:
admin
Company:
System
Integrity Level:
HIGH
Description:
System
Exit code:
0
Version:
11.7.3.1
Modules
Images
c:\users\admin\appdata\roaming\microsoft\network\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2412"C:\Users\admin\AppData\Roaming\Microsoft\Network\svchost.exe"C:\Users\admin\AppData\Roaming\Microsoft\Network\svchost.exe
svchost.exe
User:
admin
Company:
System
Integrity Level:
HIGH
Description:
System
Version:
11.7.3.1
Modules
Images
c:\users\admin\appdata\roaming\microsoft\network\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
Total events
773
Read events
747
Write events
26
Delete events
0

Modification events

(PID) Process:(2952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2952) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Netflix Proxyless Cracker v2.zip
(PID) Process:(2952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(2952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\AppData\Local\Temp
Executable files
3
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2952.22826\Netflix Proxyless Cracker v2.exe
MD5:
SHA256:
2412svchost.exeC:\Users\admin\AppData\Roaming\Microsoft\Network\Settings.inibinary
MD5:9DC45CB15A6D139CD3E401D48BA6BD32
SHA256:B5B62FC825E406C24929FE7DE9459A4E459D6A8D9B7F2BE48EFA505B09CF3B51
3248kkkk.exeC:\Users\admin\AppData\Roaming\Microsoft\Network\svchost.exeexecutable
MD5:AC45D433F970D0F2373A9C055E350966
SHA256:027BF5444612AB37390FE1E8A8BA2306AF21E72A0DB76AE5F7C43DA249807FB9
1328Netflix Proxyless Cracker v2.exeC:\Users\admin\AppData\Local\Temp\Netflix Proxyless Cracker v2.exeexecutable
MD5:4CE028EF32E2826256D4A089B23D7605
SHA256:6A02EDA2F1251A2241E3F812F89E76982E4C275F662212A145531F102E9F0756
1328Netflix Proxyless Cracker v2.exeC:\Users\admin\AppData\Local\Temp\kkkk.exeexecutable
MD5:AC45D433F970D0F2373A9C055E350966
SHA256:027BF5444612AB37390FE1E8A8BA2306AF21E72A0DB76AE5F7C43DA249807FB9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2412
svchost.exe
92.222.72.160:8999
playhardgopro.life
OVH SAS
FR
malicious

DNS requests

Domain
IP
Reputation
playhardgopro.life
  • 92.222.72.160
malicious

Threats

PID
Process
Class
Message
2412
svchost.exe
A Network Trojan was detected
SC SPYWARE Spyware Weecnaw Win32
2412
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Netwire.RAT
2412
svchost.exe
A Network Trojan was detected
ET TROJAN Possible Netwire RAT Client HeartBeat C2
2412
svchost.exe
A Network Trojan was detected
ET TROJAN Possible Netwire RAT Client HeartBeat C2
2412
svchost.exe
A Network Trojan was detected
ET TROJAN Possible Netwire RAT Client HeartBeat C2
2412
svchost.exe
A Network Trojan was detected
ET TROJAN Possible Netwire RAT Client HeartBeat C2
2412
svchost.exe
A Network Trojan was detected
ET TROJAN Possible Netwire RAT Client HeartBeat C2
2412
svchost.exe
A Network Trojan was detected
ET TROJAN Possible Netwire RAT Client HeartBeat C2
2412
svchost.exe
A Network Trojan was detected
ET TROJAN Possible Netwire RAT Client HeartBeat C2
3 ETPRO signatures available at the full report
Process
Message
Netflix Proxyless Cracker v2.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
Netflix Proxyless Cracker v2.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
Netflix Proxyless Cracker v2.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
Netflix Proxyless Cracker v2.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
Netflix Proxyless Cracker v2.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
Netflix Proxyless Cracker v2.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
Netflix Proxyless Cracker v2.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
Netflix Proxyless Cracker v2.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
kkkk.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
kkkk.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278