download: | file |
Full analysis: | https://app.any.run/tasks/f4bdaeb5-4861-4052-83f8-3ff46e789ae7 |
Verdict: | Malicious activity |
Threats: | Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS. |
Analysis date: | January 17, 2020, 14:01:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-7z-compressed |
File info: | 7-zip archive data, version 0.4 |
MD5: | E68931F001189FB89068AC93A38417A4 |
SHA1: | DFD2182664C69B67431AD124F041176C2B87842F |
SHA256: | 2F3281B49574916124D8EF46A7FF9726D8213B2DB2E2A740B0471FCFA9D266BD |
SSDEEP: | 384:2eG2ifLZDmdS+rTD4bYZG75hPKUMQSm7pYqLFsDZYRXR8qNpkR/cJuiaDrXBdjI8:2e09mQ+rX4JDbvSQp/hs6R2my8uicrXN |
.7z | | | 7-Zip compressed archive (v0.4) (57.1) |
---|---|---|
.7z | | | 7-Zip compressed archive (gen) (42.8) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2548 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\file.7z" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1044 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2548.23751\NEW GOODS $58897 (1).exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2548.23751\NEW GOODS $58897 (1).exe | — | WinRAR.exe |
User: admin Company: Flagda Integrity Level: MEDIUM Exit code: 0 Version: 1.00 | ||||
3356 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2548.23751\NEW GOODS $58897 (1).exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2548.23751\NEW GOODS $58897 (1).exe | NEW GOODS $58897 (1).exe | |
User: admin Company: Flagda Integrity Level: MEDIUM Exit code: 0 Version: 1.00 | ||||
1744 | "C:\Users\admin\AppData\Roaming\Install\Host.exe" | C:\Users\admin\AppData\Roaming\Install\Host.exe | — | NEW GOODS $58897 (1).exe |
User: admin Company: Flagda Integrity Level: MEDIUM Exit code: 0 Version: 1.00 | ||||
2720 | "C:\Users\admin\AppData\Roaming\Install\Host.exe" | C:\Users\admin\AppData\Roaming\Install\Host.exe | Host.exe | |
User: admin Company: Flagda Integrity Level: MEDIUM Version: 1.00 | ||||
2372 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
392 | netstat | C:\Windows\system32\NETSTAT.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Netstat Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3356 | NEW GOODS $58897 (1).exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[1].txt | text | |
MD5:FDC3AA3613463E34136347AFA5EA0135 | SHA256:BE07A336C5AB69DB8B840BF96256B8B2BBBE257A6389AC2DDC9C94C836990AB0 | |||
3356 | NEW GOODS $58897 (1).exe | C:\Users\admin\AppData\Roaming\Install\Host.exe | executable | |
MD5:1045DB31172447BF2FB59F42E27F59CA | SHA256:9427F46C3FB4FEEFF13BA6619D5DE54854DAEE80AE2033AAA022EDB119E7433F | |||
2720 | Host.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\fuck_encrypted_9FA9C6F[1].bin | binary | |
MD5:763F5EFC4E57C1767134F840EF29D638 | SHA256:2955E26E99E5A82C488D0D5AB1B272802F3ACEACF1D839888C46429D17A852C2 | |||
2548 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2548.23751\NEW GOODS $58897 (1).exe | executable | |
MD5:1045DB31172447BF2FB59F42E27F59CA | SHA256:9427F46C3FB4FEEFF13BA6619D5DE54854DAEE80AE2033AAA022EDB119E7433F | |||
3356 | NEW GOODS $58897 (1).exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\fuck_encrypted_9FA9C6F[1].bin | binary | |
MD5:763F5EFC4E57C1767134F840EF29D638 | SHA256:2955E26E99E5A82C488D0D5AB1B272802F3ACEACF1D839888C46429D17A852C2 | |||
1044 | NEW GOODS $58897 (1).exe | C:\Users\admin\AppData\Local\Temp\~DF7A8523D742A873F5.TMP | binary | |
MD5:3587D3BB73839133D0B4F94CE6426ADD | SHA256:9BADD3BB59B094CFBA9EB21055D1494BF4056B081212CA7596E965B9A43ACD50 | |||
1744 | Host.exe | C:\Users\admin\AppData\Local\Temp\~DF8CF9AEF5AC6EBDAD.TMP | binary | |
MD5:3587D3BB73839133D0B4F94CE6426ADD | SHA256:9BADD3BB59B094CFBA9EB21055D1494BF4056B081212CA7596E965B9A43ACD50 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2720 | Host.exe | 216.58.206.14:443 | drive.google.com | Google Inc. | US | whitelisted |
3356 | NEW GOODS $58897 (1).exe | 216.58.206.14:443 | drive.google.com | Google Inc. | US | whitelisted |
3356 | NEW GOODS $58897 (1).exe | 172.217.18.97:443 | doc-0k-a0-docs.googleusercontent.com | Google Inc. | US | whitelisted |
2720 | Host.exe | 172.217.18.97:443 | doc-0k-a0-docs.googleusercontent.com | Google Inc. | US | whitelisted |
2720 | Host.exe | 185.244.30.244:32141 | siri1234.duckdns.org | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
drive.google.com |
| shared |
doc-0k-a0-docs.googleusercontent.com |
| shared |
siri1234.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |