File name: | NordVP_Proxyless.zip |
Full analysis: | https://app.any.run/tasks/83b14265-39e8-4124-ad0b-68233bd1a954 |
Verdict: | Malicious activity |
Threats: | Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS. |
Analysis date: | December 14, 2018, 09:49:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | C2B185B948EF2E26DA41D7235C0D0B6A |
SHA1: | 99E6EBFAF57A2EEE5F5C53F160A2081664B9D870 |
SHA256: | 2DB778274791E2131349FDEE50324A2F4DB112222CC778A6809A5BD47B7C314E |
SSDEEP: | 196608:5mCzo6Wq1+TzusHxUT/j8nnlrOxSybq8O0aSuLgQkda:9zjDgPHuoJO4ybaNLkM |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | NordVP_Proxyless/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2018:12:14 07:09:12 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 10 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3780 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NordVP_Proxyless.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3664 | "C:\Users\admin\Desktop\NordVP_Proxyless\NordVPN.exe" | C:\Users\admin\Desktop\NordVP_Proxyless\NordVPN.exe | explorer.exe | |
User: admin Company: NordVPN Integrity Level: HIGH Description: NordVPN Checker Exit code: 0 Version: 3.8.11.2 | ||||
2288 | "C:\Users\admin\Desktop\NordVP_Proxyless\NordVPN.exe" | C:\Users\admin\Desktop\NordVP_Proxyless\NordVPN.exe | NordVPN.exe | |
User: admin Company: NordVPN Integrity Level: HIGH Description: NordVPN Checker Exit code: 1 Version: 3.8.11.2 | ||||
3564 | "C:\Users\admin\AppData\Local\Temp\2.EXE" | C:\Users\admin\AppData\Local\Temp\2.EXE | NordVPN.exe | |
User: admin Company: New Program Inc. Integrity Level: HIGH Description: New Program Exit code: 0 Version: 19.9.15.4 | ||||
2300 | "C:\Users\admin\AppData\Local\Temp\NORDVPN.EXE" | C:\Users\admin\AppData\Local\Temp\NORDVPN.EXE | — | NordVPN.exe |
User: admin Company: Nordvpn.com[BruteChecker] Integrity Level: HIGH Version: 1.0.0.0 | ||||
1360 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
2708 | "C:\Windows\System32\cmd.exe" /c copy "C:\Users\admin\AppData\Local\Temp\2.EXE" "C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\svchost.exe" | C:\Windows\System32\cmd.exe | 2.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3772 | "C:\Windows\System32\cmd.exe" /c, "C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\svchost.exe" | C:\Windows\System32\cmd.exe | — | 2.EXE |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2532 | "C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\svchost.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\svchost.exe | cmd.exe | |
User: admin Company: New Program Inc. Integrity Level: HIGH Description: New Program Exit code: 0 Version: 19.9.15.4 | ||||
3192 | "C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\svchost.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\svchost.exe | svchost.exe | |
User: admin Company: New Program Inc. Integrity Level: HIGH Description: New Program Version: 19.9.15.4 |
(PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\NordVP_Proxyless.zip | |||
(PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3664) NordVPN.exe | Key: | HKEY_CURRENT_USER |
Operation: | write | Name: | |
Value: -boot | |||
(PID) Process: | (2288) NordVPN.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3780 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3780.1406\NordVP_Proxyless\libeay32.dll | — | |
MD5:— | SHA256:— | |||
3780 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3780.1406\NordVP_Proxyless\msvcr71.dll | — | |
MD5:— | SHA256:— | |||
3780 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3780.1406\NordVP_Proxyless\NordVPN.exe | — | |
MD5:— | SHA256:— | |||
3780 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3780.1406\NordVP_Proxyless\ssleay32.dll | — | |
MD5:— | SHA256:— | |||
2288 | NordVPN.exe | C:\Users\admin\AppData\Local\Temp\2.EXE | executable | |
MD5:F4FB1D0A995A70DDEF8E4D47E27DA61A | SHA256:267A6445907D8B60660456AEAFAF40473488FD514016A457A8D2D88626D2CEF5 | |||
2708 | cmd.exe | C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\svchost.exe | executable | |
MD5:F4FB1D0A995A70DDEF8E4D47E27DA61A | SHA256:267A6445907D8B60660456AEAFAF40473488FD514016A457A8D2D88626D2CEF5 | |||
3192 | svchost.exe | C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\Settings.ini | binary | |
MD5:BEF935F7A3474494BB4346B0AF4234A7 | SHA256:DB4E352E3274B0AF66C1772F66C9080CF977A291F76D1EAD13D138312DF8D878 | |||
2288 | NordVPN.exe | C:\Users\admin\AppData\Local\Temp\NORDVPN.EXE | executable | |
MD5:134968E41FA82905904764C443337EF1 | SHA256:75F4E6828F48099D14E365186BAFA5C2D48F354D277FD1220FA6F13840689854 | |||
2288 | NordVPN.exe | C:\Users\admin\AppData\Local\Temp\LIBEAY32.DLL | executable | |
MD5:DA5DB316BE8E2C1216A3D03890947F02 | SHA256:5747A0D87C2B7B0D08987D2DEAA20364A3119DFECB6458F9DEBBFED23CB7A4C6 | |||
2288 | NordVPN.exe | C:\Users\admin\AppData\Local\Temp\SSLEAY32.DLL | executable | |
MD5:235B83518B2DACF3D8210B35ED4A3914 | SHA256:79C407E011476B00FB2CB6633F56445E21CF95A69DFA76EDE5B929D235550593 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3192 | svchost.exe | 92.222.72.160:8999 | playhardgopro.life | OVH SAS | FR | malicious |
Domain | IP | Reputation |
---|---|---|
playhardgopro.life |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3192 | svchost.exe | A Network Trojan was detected | SC SPYWARE Spyware Weecnaw Win32 |
3192 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Netwire.RAT |
3192 | svchost.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
3192 | svchost.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
3192 | svchost.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
3192 | svchost.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
3192 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Netwire RAT connection m3 |
3192 | svchost.exe | A Network Trojan was detected | SC SPYWARE Spyware Weecnaw Win32 |
3192 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Netwire.RAT |
3192 | svchost.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
Process | Message |
---|---|
NordVPN.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
NordVPN.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
NordVPN.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, liĊ |
NordVPN.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
NordVPN.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
NordVPN.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
NordVPN.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
NordVPN.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
NordVPN.exe | C:\Users\admin\AppData\Local\Temp\2.EXE |
NordVPN.exe | C:\Users\admin\AppData\Local\Temp\LIBEAY32.DLL |