analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

file

Full analysis: https://app.any.run/tasks/f4bdaeb5-4861-4052-83f8-3ff46e789ae7
Verdict: Malicious activity
Threats:

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS.

Malware Trends Tracker     >>>
Analysis date: January 17, 2020, 14:01:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
netwire
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

E68931F001189FB89068AC93A38417A4

SHA1:

DFD2182664C69B67431AD124F041176C2B87842F

SHA256:

2F3281B49574916124D8EF46A7FF9726D8213B2DB2E2A740B0471FCFA9D266BD

SSDEEP:

384:2eG2ifLZDmdS+rTD4bYZG75hPKUMQSm7pYqLFsDZYRXR8qNpkR/cJuiaDrXBdjI8:2e09mQ+rX4JDbvSQp/hs6R2my8uicrXN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • NEW GOODS $58897 (1).exe (PID: 3356)
      • NEW GOODS $58897 (1).exe (PID: 1044)
      • Host.exe (PID: 1744)
      • Host.exe (PID: 2720)

    • Changes the autorun value in the registry

      • Host.exe (PID: 2720)

    • NETWIRE was detected

      • Host.exe (PID: 2720)

  • SUSPICIOUS

    • Creates files in the user directory

      • NEW GOODS $58897 (1).exe (PID: 3356)
      • Host.exe (PID: 2720)

    • Application launched itself

      • NEW GOODS $58897 (1).exe (PID: 1044)
      • Host.exe (PID: 1744)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2548)
      • NEW GOODS $58897 (1).exe (PID: 3356)

    • Starts itself from another location

      • NEW GOODS $58897 (1).exe (PID: 3356)

    • Connects to unusual port

      • Host.exe (PID: 2720)

    • Uses NETSTAT.EXE to discover network connections

      • cmd.exe (PID: 2372)

  • INFO

    • Manual execution by user

      • cmd.exe (PID: 2372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
7
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start winrar.exe new goods $58897 (1).exe no specs new goods $58897 (1).exe host.exe no specs #NETWIRE host.exe cmd.exe no specs netstat.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2548"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\file.7z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1044"C:\Users\admin\AppData\Local\Temp\Rar$EXa2548.23751\NEW GOODS $58897 (1).exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2548.23751\NEW GOODS $58897 (1).exeWinRAR.exe
User:
admin
Company:
Flagda
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
3356"C:\Users\admin\AppData\Local\Temp\Rar$EXa2548.23751\NEW GOODS $58897 (1).exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2548.23751\NEW GOODS $58897 (1).exe
NEW GOODS $58897 (1).exe
User:
admin
Company:
Flagda
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
1744"C:\Users\admin\AppData\Roaming\Install\Host.exe" C:\Users\admin\AppData\Roaming\Install\Host.exeNEW GOODS $58897 (1).exe
User:
admin
Company:
Flagda
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
2720"C:\Users\admin\AppData\Roaming\Install\Host.exe" C:\Users\admin\AppData\Roaming\Install\Host.exe
Host.exe
User:
admin
Company:
Flagda
Integrity Level:
MEDIUM
Version:
1.00
2372"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
392netstatC:\Windows\system32\NETSTAT.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Netstat Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
931
Read events
854
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
4
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3356NEW GOODS $58897 (1).exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[1].txttext
MD5:FDC3AA3613463E34136347AFA5EA0135
SHA256:BE07A336C5AB69DB8B840BF96256B8B2BBBE257A6389AC2DDC9C94C836990AB0
3356NEW GOODS $58897 (1).exeC:\Users\admin\AppData\Roaming\Install\Host.exeexecutable
MD5:1045DB31172447BF2FB59F42E27F59CA
SHA256:9427F46C3FB4FEEFF13BA6619D5DE54854DAEE80AE2033AAA022EDB119E7433F
2720Host.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\fuck_encrypted_9FA9C6F[1].binbinary
MD5:763F5EFC4E57C1767134F840EF29D638
SHA256:2955E26E99E5A82C488D0D5AB1B272802F3ACEACF1D839888C46429D17A852C2
2548WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2548.23751\NEW GOODS $58897 (1).exeexecutable
MD5:1045DB31172447BF2FB59F42E27F59CA
SHA256:9427F46C3FB4FEEFF13BA6619D5DE54854DAEE80AE2033AAA022EDB119E7433F
3356NEW GOODS $58897 (1).exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\fuck_encrypted_9FA9C6F[1].binbinary
MD5:763F5EFC4E57C1767134F840EF29D638
SHA256:2955E26E99E5A82C488D0D5AB1B272802F3ACEACF1D839888C46429D17A852C2
1044NEW GOODS $58897 (1).exeC:\Users\admin\AppData\Local\Temp\~DF7A8523D742A873F5.TMPbinary
MD5:3587D3BB73839133D0B4F94CE6426ADD
SHA256:9BADD3BB59B094CFBA9EB21055D1494BF4056B081212CA7596E965B9A43ACD50
1744Host.exeC:\Users\admin\AppData\Local\Temp\~DF8CF9AEF5AC6EBDAD.TMPbinary
MD5:3587D3BB73839133D0B4F94CE6426ADD
SHA256:9BADD3BB59B094CFBA9EB21055D1494BF4056B081212CA7596E965B9A43ACD50
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2720
Host.exe
216.58.206.14:443
drive.google.com
Google Inc.
US
whitelisted
3356
NEW GOODS $58897 (1).exe
216.58.206.14:443
drive.google.com
Google Inc.
US
whitelisted
3356
NEW GOODS $58897 (1).exe
172.217.18.97:443
doc-0k-a0-docs.googleusercontent.com
Google Inc.
US
whitelisted
2720
Host.exe
172.217.18.97:443
doc-0k-a0-docs.googleusercontent.com
Google Inc.
US
whitelisted
2720
Host.exe
185.244.30.244:32141
siri1234.duckdns.org
malicious

DNS requests

Domain
IP
Reputation
drive.google.com
  • 216.58.206.14
shared
doc-0k-a0-docs.googleusercontent.com
  • 172.217.18.97
shared
siri1234.duckdns.org
  • 185.244.30.244
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
file