File name: | Order #165-3520P-WTMM10X.exe |
Full analysis: | https://app.any.run/tasks/bd5d9a7e-2451-4dd0-9568-a3420bf4b672 |
Verdict: | Malicious activity |
Threats: | Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS. |
Analysis date: | August 12, 2022, 15:43:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 2BF6D8556CA6620A7F3802521DA5C138 |
SHA1: | 68AD243311F33ED4CFB4B3D75C9E3F0A271BE58F |
SHA256: | 39B9B9D2C699F8523E55A05BFC74F6F5764FABB0A1418F1CEC4BC78609C1B37B |
SSDEEP: | 6144:8EmD5bAwTJpzJ19H2WGvTfsWtu48QJQ2n1IWWtICBNRSeOs0piS/tw:G5bLJGGAznGWVClSeOTIS/ |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (63.1) |
---|---|---|
.exe | | | Win64 Executable (generic) (23.8) |
.dll | | | Win32 Dynamic Link Library (generic) (5.6) |
.exe | | | Win32 Executable (generic) (3.8) |
.exe | | | Generic Win/DOS Executable (1.7) |
AssemblyVersion: | 1.0.0.0 |
---|---|
ProductVersion: | 1.0.0.0 |
ProductName: | Inventory Manage |
OriginalFileName: | Inventory Manage.exe |
LegalTrademarks: | - |
LegalCopyright: | Copyright © 2022 |
InternalName: | Inventory Manage.exe |
FileVersion: | 1.0.0.0 |
FileDescription: | Inventory Manage |
CompanyName: | - |
Comments: | - |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.0.0.0 |
FileVersionNumber: | 1.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 6 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x429ea |
UninitializedDataSize: | - |
InitializedDataSize: | 2048 |
CodeSize: | 264704 |
LinkerVersion: | 48 |
PEType: | PE32 |
TimeStamp: | 2022:08:12 15:26:01+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 12-Aug-2022 13:26:01 |
Debug artifacts: |
|
Comments: | - |
CompanyName: | - |
FileDescription: | Inventory Manage |
FileVersion: | 1.0.0.0 |
InternalName: | Inventory Manage.exe |
LegalCopyright: | Copyright © 2022 |
LegalTrademarks: | - |
OriginalFilename: | Inventory Manage.exe |
ProductName: | Inventory Manage |
ProductVersion: | 1.0.0.0 |
Assembly Version: | 1.0.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 12-Aug-2022 13:26:01 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x000409F0 | 0x00040A00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.43523 |
.rsrc | 0x00044000 | 0x000005EC | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.16741 |
.reloc | 0x00046000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.00112 | 490 | UNKNOWN | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1208 | "C:\Users\admin\AppData\Local\Temp\Order #165-3520P-WTMM10X.exe" | C:\Users\admin\AppData\Local\Temp\Order #165-3520P-WTMM10X.exe | Explorer.EXE | |
User: admin Integrity Level: MEDIUM Description: Inventory Manage Exit code: 0 Version: 1.0.0.0 | ||||
2924 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Order #165-3520P-WTMM10X.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 4.0.30319.34209 built by: FX452RTMGDR NetWire(PID) Process(2924) RegAsm.exe Strings (91)GetProcessImageFileNameA Local Disk WinHttpOpen WinHttpGetProxyForUrl WinHttpGetIEProxyConfigForCurrentUser SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SOFTWARE\Microsoft\Active Setup\Installed Components SOFTWARE\Microsoft\Active Setup\Installed Components\%s StubPath SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ [Ctrl+%c] GetRawInputData Secur32.dll LsaGetLogonSessionData LsaFreeReturnBuffer SOFTWARE\Mozilla\%s\ CurrentVersion SOFTWARE\Mozilla\%s\%s\Main Install Directory mozutils.dll mozsqlite3.dll %s\logins.json PK11_GetInternalKeySlot PK11_Authenticate PL_Base64Decode SECITEM_ZfreeItem PK11SDR_Decrypt PK11_FreeSlot NSS_Shutdown sqlite3_open sqlite3_close sqlite3_prepare_v2 sqlite3_step sqlite3_column_text select * from moz_logins hostname <name> <password> Email POP3 User POP3 Server POP3 Password IMAP User HTTP User HTTP Server HTTP Password Email IMAP Server IMAP Password POP3 User POP3 Server POP3 Password SMTP User EAS User EAS Server URL EAS Password IMAP User HTTP User HTTP Server HTTP Password IMAP Server IMAP Password SMTP Server SMTP Password SMTP User SMTP Server SMTP Password EAS User EAS Server URL EAS Password index.dat VaultOpenVault VaultEnumerateItems VaultGetItem GetModuleFileNameExA GetModuleFileNameExA GetNativeSystemInfo GlobalMemoryStatusEx HARDWARE\DESCRIPTION\System\CentralProcessor\0 Closed Listening... SYN Sent SYN Received Established Fin Wait (1) Fin Wait (2) Close Wait Closing... Last ACK Time Wait Delete TCB Keys RC4_keyc1353f103fb36065f43fb8d9544bdcfa Options Keylogger_directoryC:\Users\admin\AppData\Roaming\Logs\ Sleep(s)75 Offline_keyloggertrue Use_a_mutextrue Registry_autorunfalse Lock_executablefalse Delete_originalfalse Copy_executablefalse ProxyDirect_connection ActiveXfalse Startup_name Install_path- MutexqpSPEKLi Credentials Password1234 HostHostId-mYucwu C2 (6)febnew.ddns.net:6655 febnew2.ddns.net:6655 febnew1.ddns.net:6655 febnew4.ddns.net:6655 febnew5.ddns.net:6655 febnew6.ddns.net:6655 |
(PID) Process: | (1208) Order #165-3520P-WTMM10X.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Order #165-3520P-WTMM10X_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (1208) Order #165-3520P-WTMM10X.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Order #165-3520P-WTMM10X_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (1208) Order #165-3520P-WTMM10X.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Order #165-3520P-WTMM10X_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (1208) Order #165-3520P-WTMM10X.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Order #165-3520P-WTMM10X_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
(PID) Process: | (1208) Order #165-3520P-WTMM10X.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Order #165-3520P-WTMM10X_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (1208) Order #165-3520P-WTMM10X.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Order #165-3520P-WTMM10X_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (1208) Order #165-3520P-WTMM10X.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Order #165-3520P-WTMM10X_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (1208) Order #165-3520P-WTMM10X.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Order #165-3520P-WTMM10X_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (1208) Order #165-3520P-WTMM10X.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Order #165-3520P-WTMM10X_RASMANCS |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (1208) Order #165-3520P-WTMM10X.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Order #165-3520P-WTMM10X_RASMANCS |
Operation: | write | Name: | ConsoleTracingMask |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
1208 | Order #165-3520P-WTMM10X.exe | C:\Users\admin\AppData\Local\Temp\Cab97BD.tmp | compressed | |
MD5:589C442FC7A0C70DCA927115A700D41E | SHA256:2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A | |||
1208 | Order #165-3520P-WTMM10X.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | compressed | |
MD5:589C442FC7A0C70DCA927115A700D41E | SHA256:2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A | |||
1208 | Order #165-3520P-WTMM10X.exe | C:\Users\admin\AppData\Local\Temp\Tar97BE.tmp | cat | |
MD5:7EE994C83F2744D702CBA18693ED1758 | SHA256:5DB917AB6DC8A42A43617850DFBE2C7F26A7F810B229B349E9DD2A2D615671D2 | |||
1208 | Order #165-3520P-WTMM10X.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | binary | |
MD5:1C9539E1C70961ECD092362C98598667 | SHA256:8FFD1E2A0264431192EF4B7816750198BABD52E66BAEFE481F74F85B7B813290 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1208 | Order #165-3520P-WTMM10X.exe | GET | 200 | 67.27.158.126:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8bd4afa9cced45b7 | US | compressed | 60.2 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1208 | Order #165-3520P-WTMM10X.exe | 103.214.7.139:443 | stickerpix.co.uk | HostSlim BV | NL | unknown |
2924 | RegAsm.exe | 154.53.32.96:6655 | febnew.ddns.net | Cogent Communications | US | malicious |
1208 | Order #165-3520P-WTMM10X.exe | 67.27.158.126:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
stickerpix.co.uk |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
febnew.ddns.net |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |