File name: | 1796a3be7af222b0e1ee5a5a7c08673f.exe |
Full analysis: | https://app.any.run/tasks/a6657e69-9a60-4b46-94ab-a10c8ca35116 |
Verdict: | Malicious activity |
Threats: | Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS. |
Analysis date: | August 12, 2022, 15:52:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 1796A3BE7AF222B0E1EE5A5A7C08673F |
SHA1: | ACE2A70A033797BE2F81C275E1918F1A84D90B36 |
SHA256: | 2ABCDB606044F4DB592BAA3F9C808BF4FCAB2146C49D83BA45A4CCBB20BC8354 |
SSDEEP: | 12288:Zl4nzEl90vpc++I2iNKArx4F8D+gmOTpw9RxOa86NvL6KDk0/0:SzEl9ypSI1gArOF8DuOTpiy6BL6Kc |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
---|---|---|
.exe | | | Win64 Executable (generic) (21.3) |
.scr | | | Windows screen saver (10.1) |
.dll | | | Win32 Dynamic Link Library (generic) (5) |
.exe | | | Win32 Executable (generic) (3.4) |
AssemblyVersion: | 1.0.0.0 |
---|---|
ProductVersion: | 1.0.0.0 |
ProductName: | Breakout Master |
OriginalFileName: | SafeHandleZeroOrMinusOneIsInva.exe |
LegalTrademarks: | - |
LegalCopyright: | Copyright © 2021 |
InternalName: | SafeHandleZeroOrMinusOneIsInva.exe |
FileVersion: | 1.0.0.0 |
FileDescription: | Breakout Master |
CompanyName: | Microsoft |
Comments: | - |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.0.0.0 |
FileVersionNumber: | 1.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0xa8912 |
UninitializedDataSize: | - |
InitializedDataSize: | 1536 |
CodeSize: | 682496 |
LinkerVersion: | 48 |
PEType: | PE32 |
TimeStamp: | 2067:02:19 17:43:43+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 14-Jan-1931 10:15:27 |
Comments: | - |
CompanyName: | Microsoft |
FileDescription: | Breakout Master |
FileVersion: | 1.0.0.0 |
InternalName: | SafeHandleZeroOrMinusOneIsInva.exe |
LegalCopyright: | Copyright © 2021 |
LegalTrademarks: | - |
OriginalFilename: | SafeHandleZeroOrMinusOneIsInva.exe |
ProductName: | Breakout Master |
ProductVersion: | 1.0.0.0 |
Assembly Version: | 1.0.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 14-Jan-1931 10:15:27 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x000A6938 | 0x000A6A00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.77194 |
.rsrc | 0x000AA000 | 0x000003F8 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.18974 |
.reloc | 0x000AC000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.32433 | 924 | UNKNOWN | UNKNOWN | RT_VERSION |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3992 | "C:\Users\admin\AppData\Local\Temp\1796a3be7af222b0e1ee5a5a7c08673f.exe" | C:\Users\admin\AppData\Local\Temp\1796a3be7af222b0e1ee5a5a7c08673f.exe | Explorer.EXE | |
User: admin Company: Microsoft Integrity Level: MEDIUM Description: Breakout Master Exit code: 0 Version: 1.0.0.0 | ||||
2392 | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ILVIcJVytdD" /XML "C:\Users\admin\AppData\Local\Temp\tmpD321.tmp" | C:\Windows\System32\schtasks.exe | — | 1796a3be7af222b0e1ee5a5a7c08673f.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
760 | "C:\Users\admin\AppData\Local\Temp\1796a3be7af222b0e1ee5a5a7c08673f.exe" | C:\Users\admin\AppData\Local\Temp\1796a3be7af222b0e1ee5a5a7c08673f.exe | — | 1796a3be7af222b0e1ee5a5a7c08673f.exe |
User: admin Company: Microsoft Integrity Level: MEDIUM Description: Breakout Master Exit code: 4294967295 Version: 1.0.0.0 | ||||
3784 | "C:\Users\admin\AppData\Local\Temp\1796a3be7af222b0e1ee5a5a7c08673f.exe" | C:\Users\admin\AppData\Local\Temp\1796a3be7af222b0e1ee5a5a7c08673f.exe | 1796a3be7af222b0e1ee5a5a7c08673f.exe | |
User: admin Company: Microsoft Integrity Level: MEDIUM Description: Breakout Master Version: 1.0.0.0 NetWire(PID) Process(3784) 1796a3be7af222b0e1ee5a5a7c08673f.exe Strings (90)GetProcessImageFileNameA Local Disk WinHttpOpen WinHttpGetProxyForUrl WinHttpGetIEProxyConfigForCurrentUser SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SOFTWARE\Microsoft\Active Setup\Installed Components SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SOFTWARE\Microsoft\Active Setup\Installed Components\%s StubPath [Esc] [Ctrl+%c] RegisterRawInputDevices GetRawInputData Secur32.dll LsaGetLogonSessionData LsaEnumerateLogonSessions SOFTWARE\Mozilla\%s\ CurrentVersion SOFTWARE\Mozilla\%s\%s\Main Install Directory mozutils.dll mozsqlite3.dll %s\logins.json PK11_GetInternalKeySlot PK11_Authenticate PL_Base64Decode SECITEM_ZfreeItem PK11SDR_Decrypt PK11_FreeSlot NSS_Shutdown sqlite3_open sqlite3_close sqlite3_prepare_v2 sqlite3_step sqlite3_column_text select * from moz_logins hostname <name> <password> POP3 Server POP3 Password IMAP User IMAP Server IMAP Password HTTP User HTTP Server HTTP Password SMTP User SMTP Server SMTP Password EAS User EAS Server URL EAS Password POP3 Server POP3 Password IMAP User IMAP Server IMAP Password HTTP User HTTP Server HTTP Password SMTP User SMTP Server SMTP Password EAS User EAS Server URL EAS Password index.dat vaultcli.dll VaultOpenVault VaultCloseVault VaultGetItem GetModuleFileNameExA GetModuleFileNameExA GetNativeSystemInfo GlobalMemoryStatusEx HARDWARE\DESCRIPTION\System\CentralProcessor\0 Closed Listening... SYN Sent SYN Received Established Fin Wait (1) Fin Wait (2) Close Wait Closing... Last ACK Time Wait Delete TCB Keys RC4_key0214a4f84afe524ecb6b757e6da96d34 Options Keylogger_directoryC:\Users\admin\AppData\Roaming\Logs\ Sleep(s)75 Offline_keyloggertrue Use_a_mutexfalse Registry_autorunfalse Lock_executablefalse Delete_originalfalse Copy_executablefalse ProxyDirect_connection ActiveXfalse Startup_name- Install_path- Mutex- Credentials PasswordPassword@2 HostHostId-uIU8w2 C2 (1)212.193.30.230:3363 |
(PID) Process: | (3992) 1796a3be7af222b0e1ee5a5a7c08673f.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3992) 1796a3be7af222b0e1ee5a5a7c08673f.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3992) 1796a3be7af222b0e1ee5a5a7c08673f.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3992) 1796a3be7af222b0e1ee5a5a7c08673f.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (3784) 1796a3be7af222b0e1ee5a5a7c08673f.exe | Key: | HKEY_CURRENT_USER\Software\NetWire |
Operation: | write | Name: | HostId |
Value: HostId-uIU8w2 | |||
(PID) Process: | (3784) 1796a3be7af222b0e1ee5a5a7c08673f.exe | Key: | HKEY_CURRENT_USER\Software\NetWire |
Operation: | write | Name: | Install Date |
Value: 2022-08-12 15:53:17 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3992 | 1796a3be7af222b0e1ee5a5a7c08673f.exe | C:\Users\admin\AppData\Local\Temp\tmpD321.tmp | xml | |
MD5:D9BD69F57B141D668450F429EBACED7D | SHA256:9966A6ECE0920CE4335F659126F312B3B187916D3A1178DAACAB4092DC79F52C | |||
3992 | 1796a3be7af222b0e1ee5a5a7c08673f.exe | C:\Users\admin\AppData\Roaming\ILVIcJVytdD.exe | executable | |
MD5:1796A3BE7AF222B0E1EE5A5A7C08673F | SHA256:2ABCDB606044F4DB592BAA3F9C808BF4FCAB2146C49D83BA45A4CCBB20BC8354 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3784 | 1796a3be7af222b0e1ee5a5a7c08673f.exe | 212.193.30.230:3363 | — | — | RU | malicious |