File name: | Tevst.exe |
Full analysis: | https://app.any.run/tasks/7c5edb3d-76ff-469c-af3a-329ebe945561 |
Verdict: | Malicious activity |
Threats: | Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS. |
Analysis date: | December 06, 2022, 00:42:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 0AFBB8A3C9A3D579C5BF1813FD65626D |
SHA1: | 1DA0CA7125A5DBECE884115FA127F4F052CB473B |
SHA256: | 4576F169EB478B1D96D61A4937376AC745696E0496252DB28C1167DE2E610523 |
SSDEEP: | 12288:BCdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsUBga/77395YhBm:BCdxte/80jYLT3U1jfsWaz737R/UQ |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2019-Apr-15 14:57:04 |
Detected languages: |
|
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 272 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 5 |
TimeDateStamp: | 2019-Apr-15 14:57:04 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 580910 | 581120 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.67588 |
.rdata | 585728 | 188686 | 188928 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.76073 |
.data | 778240 | 36724 | 20992 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.19881 |
.rsrc | 815104 | 183896 | 184320 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.71621 |
.reloc | 999424 | 28976 | 29184 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.78238 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 2.77862 | 220 | Latin 1 / Western European | English - United Kingdom | RT_VERSION |
99 | 2.85255 | 118 | Latin 1 / Western European | English - United Kingdom | RT_GROUP_ICON |
169 | 1.84274 | 20 | Latin 1 / Western European | English - United Kingdom | RT_GROUP_ICON |
SCRIPT | 7.99902 | 148717 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
1 (#2) | 5.40026 | 1007 | Latin 1 / Western European | English - United Kingdom | RT_MANIFEST |
ADVAPI32.dll |
COMCTL32.dll |
COMDLG32.dll |
GDI32.dll |
IPHLPAPI.DLL |
KERNEL32.dll |
MPR.dll |
OLEAUT32.dll |
PSAPI.DLL |
SHELL32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
856 | "C:\Users\admin\AppData\Local\Temp\Tevst.exe" | C:\Users\admin\AppData\Local\Temp\Tevst.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
880 | powershell.exe -windowstyle hidden ( Copy-Item -Path "C:\Users\admin\AppData\Local\Temp\Tevst.exe" -Destination "C:\Users\admin\AppData\Roaming\Microsoft\Windows\'Start Menu'\Programs\Startup\Tevst.exe" ) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Tevst.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
3436 | "C:\Windows\system32\wscript.exe" | C:\Windows\system32\wscript.exe | Tevst.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 Modules
NetWire(PID) Process(3436) wscript.exe C2 (1)update92.publicvm.com:2020 HostHostId-%Rand% Credentials Password1992 Options Mutex- Install path- Startup name- ProxyDirect connection ActiveXFalse Copy executableFalse Delete originalFalse Lock executableFalse Registry autorunFalse Use a mutexFalse Offline keyloggerTrue Sleep15 Keylogger directoryC:\Users\admin\AppData\Roaming\Logs\ Keys RC4adbd1cc26a0a1dc768cb8ec655306d0e Strings (222)%s\%s.exe GetExtendedTcpTable GetExtendedUdpTable GetProcessImageFileNameA GetProcessImageFileNameA CONNECT %s:%d HTTP/1.0 Local Disk WinHttpOpen WinHttpGetProxyForUrl WinHttpGetIEProxyConfigForCurrentUser SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SOFTWARE\Microsoft\Active Setup\Installed Components\%s StubPath SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SOFTWARE\Microsoft\Active Setup\Installed Components [Backspace] [Enter] [Tab] [Arrow Left] [Arrow Up] [Arrow Right] [Arrow Down] [Home] [Page Up] [Page Down] [End] [Break] [Delete] [Insert] [Print Screen] [Scroll Lock] [Caps Lock] [Esc] [Ctrl+%c] [Ctrl+%c] RegisterRawInputDevices GetRawInputData Secur32.dll LsaGetLogonSessionData LsaFreeReturnBuffer LsaEnumerateLogonSessions SOFTWARE\Mozilla\%s\ CurrentVersion SOFTWARE\Mozilla\%s\%s\Main Install Directory mozutils.dll mozglue.dll mozsqlite3.dll nss3.dll %s\nss3.dll %s\Mozilla\Firefox\profiles.ini %s\Mozilla\Firefox\%s %s\Thunderbird\profiles.ini %s\Thunderbird\%s %s\Mozilla\SeaMonkey\profiles.ini %s\Mozilla\SeaMonkey\%s %s\signons.sqlite %s\logins.json NSS_Init PK11_GetInternalKeySlot PK11_Authenticate PL_Base64Decode SECITEM_ZfreeItem PK11SDR_Decrypt PK11_FreeSlot NSS_Shutdown sqlite3_open sqlite3_close sqlite3_prepare_v2 sqlite3_step sqlite3_column_text select * from moz_logins select * from moz_logins hostname encryptedUsername encryptedPassword hostname %s\Opera\Opera\wand.dat %s\Opera\Opera\profile\wand.dat %s\.purple\accounts.xml <protocol> <name> <password> advapi32.dll CredEnumerateA CredFree WindowsLive:name=* Email POP3 User POP3 Server POP3 Password IMAP User IMAP Server IMAP Password HTTP User HTTP Server HTTP Password SMTP User SMTP Server SMTP Password EAS User EAS Server URL EAS Password Email POP3 User POP3 Server POP3 Password IMAP User IMAP Server IMAP Password HTTP User HTTP Server HTTP Password SMTP User SMTP Server SMTP Password EAS User EAS Server URL EAS Password crypt32.dll CryptUnprotectData advapi32.dll CredEnumerateA CredFree crypt32.dll CryptUnprotectData index.dat vaultcli.dll VaultOpenVault VaultCloseVault VaultEnumerateItems VaultGetItem VaultGetItem VaultFree %s\Google\Chrome\User Data\Default\Login Data %s\Chromium\User Data\Default\Login Data %s\Comodo\Dragon\User Data\Default\Login Data %s\Yandex\YandexBrowser\User Data\Default\Login Data %s\Opera Software\Opera Stable\Login Data GetModuleFileNameExA GetModuleFileNameExA %s\system32\cmd.exe advapi32.dll GetUserNameA USERNAME GetNativeSystemInfo kernel32.dll SYSTEM\CurrentControlSet\Control\ProductOptions ProductType WINNT LANMANNT SERVERNT GlobalMemoryStatusEx HARDWARE\DESCRIPTION\System\CentralProcessor\0 AllocateAndInitializeSid CheckTokenMembership FreeSid Closed Listening... SYN Sent SYN Received Established Fin Wait (1) Fin Wait (2) Close Wait Closing... Last ACK Time Wait Delete TCB mozcrt19.dll sqlite3.dll nspr4.dll plc4.dll plds4.dll nssutil3.dll nss3.dll softokn3.dll nssdbm3.dll msvcr100.dll msvcp100.dll msvcr120.dll msvcp120.dll api-ms-win-core-timezone-l1-1-0.dll api-ms-win-core-file-l1-1-0.dll api-ms-win-core-file-l2-1-0.dll api-ms-win-core-localization-l1-2-0.dll api-ms-win-core-synch-l1-2-0.dll api-ms-win-core-processthreads-l1-1-1.dll api-ms-win-core-file-l1-2-0.dll api-ms-win-crt-runtime-l1-1-0.dll api-ms-win-crt-string-l1-1-0.dll api-ms-win-crt-heap-l1-1-0.dll api-ms-win-crt-stdio-l1-1-0.dll api-ms-win-crt-convert-l1-1-0.dll api-ms-win-crt-locale-l1-1-0.dll api-ms-win-crt-math-l1-1-0.dll api-ms-win-crt-multibyte-l1-1-0.dll api-ms-win-crt-time-l1-1-0.dll api-ms-win-crt-filesystem-l1-1-0.dll api-ms-win-crt-environment-l1-1-0.dll api-ms-win-crt-utility-l1-1-0.dll api-ms-win-core-string-l1-1-0.dll api-ms-win-crt-environment-l1-1-0.dll api-ms-win-core-namedpipe-l1-1-0.dll api-ms-win-core-handle-l1-1-0.dll api-ms-win-core-heap-l1-1-0.dll api-ms-win-core-libraryloader-l1-1-0.dll api-ms-win-core-synch-l1-1-0.dll api-ms-win-core-processthreads-l1-1-0.dll api-ms-win-core-processenvironment-l1-1-0.dll api-ms-win-core-datetime-l1-1-0.dll api-ms-win-core-sysinfo-l1-1-0.dll api-ms-win-core-console-l1-1-0.dll api-ms-win-core-debug-l1-1-0.dll api-ms-win-core-profile-l1-1-0.dll api-ms-win-core-memory-l1-1-0.dll api-ms-win-core-util-l1-1-0.dll api-ms-win-core-rtlsupport-l1-1-0.dll api-ms-win-core-interlocked-l1-1-0.dll ucrtbase.dll vcruntime140.dll msvcp140.dll |
PID | Process | Filename | Type | |
---|---|---|---|---|
856 | Tevst.exe | C:\Users\admin\AppData\Local\Temp\aut715.tmp | binary | |
MD5:1AFA3F2ACA92C5D1EEB1EA5B9EFB1E08 | SHA256:A01449E9AEFE76CEF133531A2B5971DBBADB57838ABE2F04C095FEB6808B4B64 | |||
856 | Tevst.exe | C:\Users\admin\AppData\Local\Temp\nwfsrat | text | |
MD5:B9157236B7935A3147069DD0F8B2123B | SHA256:590530EB11D791580B4D950788BD8D350FB7310E59917FD1173948497CF84EF6 | |||
880 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tevst.exe | executable | |
MD5:0AFBB8A3C9A3D579C5BF1813FD65626D | SHA256:4576F169EB478B1D96D61A4937376AC745696E0496252DB28C1167DE2E610523 | |||
880 | powershell.exe | C:\Users\admin\AppData\Local\Temp\jso2aqho.xwp.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
880 | powershell.exe | C:\Users\admin\AppData\Local\Temp\ua1fwvfb.0t0.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
880 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | dbf | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3436 | wscript.exe | 38.79.142.66:2020 | update92.publicvm.com | UTL-42-36113 | US | malicious |
Domain | IP | Reputation |
---|---|---|
update92.publicvm.com |
| malicious |