File name:

Tevst.exe

Full analysis: https://app.any.run/tasks/7c5edb3d-76ff-469c-af3a-329ebe945561
Verdict: Malicious activity
Threats:

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS.

Analysis date: December 06, 2022, 00:42:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
netwire
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

0AFBB8A3C9A3D579C5BF1813FD65626D

SHA1:

1DA0CA7125A5DBECE884115FA127F4F052CB473B

SHA256:

4576F169EB478B1D96D61A4937376AC745696E0496252DB28C1167DE2E610523

SSDEEP:

12288:BCdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsUBga/77395YhBm:BCdxte/80jYLT3U1jfsWaz737R/UQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • NETWIRE detected by memory dumps

      • wscript.exe (PID: 3436)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NetWire

(PID) Process(3436) wscript.exe
Strings (222)%s\%s.exe
GetExtendedTcpTable
GetExtendedUdpTable
GetProcessImageFileNameA
GetProcessImageFileNameA
CONNECT %s:%d HTTP/1.0
Local Disk
WinHttpOpen
WinHttpGetProxyForUrl
WinHttpGetIEProxyConfigForCurrentUser
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Active Setup\Installed Components\%s
StubPath
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Active Setup\Installed Components
[Backspace]
[Enter]
[Tab]
[Arrow Left]
[Arrow Up]
[Arrow Right]
[Arrow Down]
[Home]
[Page Up]
[Page Down]
[End]
[Break]
[Delete]
[Insert]
[Print Screen]
[Scroll Lock]
[Caps Lock]
[Esc]
[Ctrl+%c]
[Ctrl+%c]
RegisterRawInputDevices
GetRawInputData
Secur32.dll
LsaGetLogonSessionData
LsaFreeReturnBuffer
LsaEnumerateLogonSessions
SOFTWARE\Mozilla\%s\
CurrentVersion
SOFTWARE\Mozilla\%s\%s\Main
Install Directory
mozutils.dll
mozglue.dll
mozsqlite3.dll
nss3.dll
%s\nss3.dll
%s\Mozilla\Firefox\profiles.ini
%s\Mozilla\Firefox\%s
%s\Thunderbird\profiles.ini
%s\Thunderbird\%s
%s\Mozilla\SeaMonkey\profiles.ini
%s\Mozilla\SeaMonkey\%s
%s\signons.sqlite
%s\logins.json
NSS_Init
PK11_GetInternalKeySlot
PK11_Authenticate
PL_Base64Decode
SECITEM_ZfreeItem
PK11SDR_Decrypt
PK11_FreeSlot
NSS_Shutdown
sqlite3_open
sqlite3_close
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
select * from moz_logins
select * from moz_logins
hostname
encryptedUsername
encryptedPassword
hostname
%s\Opera\Opera\wand.dat
%s\Opera\Opera\profile\wand.dat
%s\.purple\accounts.xml
<protocol>
<name>
<password>
advapi32.dll
CredEnumerateA
CredFree
WindowsLive:name=*
Email
POP3 User
POP3 Server
POP3 Password
IMAP User
IMAP Server
IMAP Password
HTTP User
HTTP Server
HTTP Password
SMTP User
SMTP Server
SMTP Password
EAS User
EAS Server URL
EAS Password
Email
POP3 User
POP3 Server
POP3 Password
IMAP User
IMAP Server
IMAP Password
HTTP User
HTTP Server
HTTP Password
SMTP User
SMTP Server
SMTP Password
EAS User
EAS Server URL
EAS Password
crypt32.dll
CryptUnprotectData
advapi32.dll
CredEnumerateA
CredFree
crypt32.dll
CryptUnprotectData
index.dat
vaultcli.dll
VaultOpenVault
VaultCloseVault
VaultEnumerateItems
VaultGetItem
VaultGetItem
VaultFree
%s\Google\Chrome\User Data\Default\Login Data
%s\Chromium\User Data\Default\Login Data
%s\Comodo\Dragon\User Data\Default\Login Data
%s\Yandex\YandexBrowser\User Data\Default\Login Data
%s\Opera Software\Opera Stable\Login Data
GetModuleFileNameExA
GetModuleFileNameExA
%s\system32\cmd.exe
advapi32.dll
GetUserNameA
USERNAME
GetNativeSystemInfo
kernel32.dll
SYSTEM\CurrentControlSet\Control\ProductOptions
ProductType
WINNT
LANMANNT
SERVERNT
GlobalMemoryStatusEx
HARDWARE\DESCRIPTION\System\CentralProcessor\0
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
Closed
Listening...
SYN Sent
SYN Received
Established
Fin Wait (1)
Fin Wait (2)
Close Wait
Closing...
Last ACK
Time Wait
Delete TCB
mozcrt19.dll
sqlite3.dll
nspr4.dll
plc4.dll
plds4.dll
nssutil3.dll
nss3.dll
softokn3.dll
nssdbm3.dll
msvcr100.dll
msvcp100.dll
msvcr120.dll
msvcp120.dll
api-ms-win-core-timezone-l1-1-0.dll
api-ms-win-core-file-l1-1-0.dll
api-ms-win-core-file-l2-1-0.dll
api-ms-win-core-localization-l1-2-0.dll
api-ms-win-core-synch-l1-2-0.dll
api-ms-win-core-processthreads-l1-1-1.dll
api-ms-win-core-file-l1-2-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-convert-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-multibyte-l1-1-0.dll
api-ms-win-crt-time-l1-1-0.dll
api-ms-win-crt-filesystem-l1-1-0.dll
api-ms-win-crt-environment-l1-1-0.dll
api-ms-win-crt-utility-l1-1-0.dll
api-ms-win-core-string-l1-1-0.dll
api-ms-win-crt-environment-l1-1-0.dll
api-ms-win-core-namedpipe-l1-1-0.dll
api-ms-win-core-handle-l1-1-0.dll
api-ms-win-core-heap-l1-1-0.dll
api-ms-win-core-libraryloader-l1-1-0.dll
api-ms-win-core-synch-l1-1-0.dll
api-ms-win-core-processthreads-l1-1-0.dll
api-ms-win-core-processenvironment-l1-1-0.dll
api-ms-win-core-datetime-l1-1-0.dll
api-ms-win-core-sysinfo-l1-1-0.dll
api-ms-win-core-console-l1-1-0.dll
api-ms-win-core-debug-l1-1-0.dll
api-ms-win-core-profile-l1-1-0.dll
api-ms-win-core-memory-l1-1-0.dll
api-ms-win-core-util-l1-1-0.dll
api-ms-win-core-rtlsupport-l1-1-0.dll
api-ms-win-core-interlocked-l1-1-0.dll
ucrtbase.dll
vcruntime140.dll
msvcp140.dll
Keys
RC4adbd1cc26a0a1dc768cb8ec655306d0e
Options
Keylogger directoryC:\Users\admin\AppData\Roaming\Logs\
Sleep15
Offline keyloggerTrue
Use a mutexFalse
Registry autorunFalse
Lock executableFalse
Delete originalFalse
Copy executableFalse
ActiveXFalse
ProxyDirect connection
Startup name-
Install path-
Mutex-
Credentials
Password1992
HostHostId-%Rand%
C2 (1)update92.publicvm.com:2020
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2019-Apr-15 14:57:04
Detected languages:
  • English - United Kingdom

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 272

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2019-Apr-15 14:57:04
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
580910
581120
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.67588
.rdata
585728
188686
188928
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.76073
.data
778240
36724
20992
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.19881
.rsrc
815104
183896
184320
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.71621
.reloc
999424
28976
29184
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.78238

Resources

Title
Entropy
Size
Codepage
Language
Type
1
2.77862
220
Latin 1 / Western European
English - United Kingdom
RT_VERSION
99
2.85255
118
Latin 1 / Western European
English - United Kingdom
RT_GROUP_ICON
169
1.84274
20
Latin 1 / Western European
English - United Kingdom
RT_GROUP_ICON
SCRIPT
7.99902
148717
Latin 1 / Western European
UNKNOWN
RT_RCDATA
1 (#2)
5.40026
1007
Latin 1 / Western European
English - United Kingdom
RT_MANIFEST

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
IPHLPAPI.DLL
KERNEL32.dll
MPR.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start tevst.exe no specs powershell.exe no specs #NETWIRE wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
856"C:\Users\admin\AppData\Local\Temp\Tevst.exe" C:\Users\admin\AppData\Local\Temp\Tevst.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\tevst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
880powershell.exe -windowstyle hidden ( Copy-Item -Path "C:\Users\admin\AppData\Local\Temp\Tevst.exe" -Destination "C:\Users\admin\AppData\Roaming\Microsoft\Windows\'Start Menu'\Programs\Startup\Tevst.exe" )C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeTevst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3436"C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe
Tevst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
NetWire
(PID) Process(3436) wscript.exe
Strings (222)%s\%s.exe
GetExtendedTcpTable
GetExtendedUdpTable
GetProcessImageFileNameA
GetProcessImageFileNameA
CONNECT %s:%d HTTP/1.0
Local Disk
WinHttpOpen
WinHttpGetProxyForUrl
WinHttpGetIEProxyConfigForCurrentUser
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Active Setup\Installed Components\%s
StubPath
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Active Setup\Installed Components
[Backspace]
[Enter]
[Tab]
[Arrow Left]
[Arrow Up]
[Arrow Right]
[Arrow Down]
[Home]
[Page Up]
[Page Down]
[End]
[Break]
[Delete]
[Insert]
[Print Screen]
[Scroll Lock]
[Caps Lock]
[Esc]
[Ctrl+%c]
[Ctrl+%c]
RegisterRawInputDevices
GetRawInputData
Secur32.dll
LsaGetLogonSessionData
LsaFreeReturnBuffer
LsaEnumerateLogonSessions
SOFTWARE\Mozilla\%s\
CurrentVersion
SOFTWARE\Mozilla\%s\%s\Main
Install Directory
mozutils.dll
mozglue.dll
mozsqlite3.dll
nss3.dll
%s\nss3.dll
%s\Mozilla\Firefox\profiles.ini
%s\Mozilla\Firefox\%s
%s\Thunderbird\profiles.ini
%s\Thunderbird\%s
%s\Mozilla\SeaMonkey\profiles.ini
%s\Mozilla\SeaMonkey\%s
%s\signons.sqlite
%s\logins.json
NSS_Init
PK11_GetInternalKeySlot
PK11_Authenticate
PL_Base64Decode
SECITEM_ZfreeItem
PK11SDR_Decrypt
PK11_FreeSlot
NSS_Shutdown
sqlite3_open
sqlite3_close
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
select * from moz_logins
select * from moz_logins
hostname
encryptedUsername
encryptedPassword
hostname
%s\Opera\Opera\wand.dat
%s\Opera\Opera\profile\wand.dat
%s\.purple\accounts.xml
<protocol>
<name>
<password>
advapi32.dll
CredEnumerateA
CredFree
WindowsLive:name=*
Email
POP3 User
POP3 Server
POP3 Password
IMAP User
IMAP Server
IMAP Password
HTTP User
HTTP Server
HTTP Password
SMTP User
SMTP Server
SMTP Password
EAS User
EAS Server URL
EAS Password
Email
POP3 User
POP3 Server
POP3 Password
IMAP User
IMAP Server
IMAP Password
HTTP User
HTTP Server
HTTP Password
SMTP User
SMTP Server
SMTP Password
EAS User
EAS Server URL
EAS Password
crypt32.dll
CryptUnprotectData
advapi32.dll
CredEnumerateA
CredFree
crypt32.dll
CryptUnprotectData
index.dat
vaultcli.dll
VaultOpenVault
VaultCloseVault
VaultEnumerateItems
VaultGetItem
VaultGetItem
VaultFree
%s\Google\Chrome\User Data\Default\Login Data
%s\Chromium\User Data\Default\Login Data
%s\Comodo\Dragon\User Data\Default\Login Data
%s\Yandex\YandexBrowser\User Data\Default\Login Data
%s\Opera Software\Opera Stable\Login Data
GetModuleFileNameExA
GetModuleFileNameExA
%s\system32\cmd.exe
advapi32.dll
GetUserNameA
USERNAME
GetNativeSystemInfo
kernel32.dll
SYSTEM\CurrentControlSet\Control\ProductOptions
ProductType
WINNT
LANMANNT
SERVERNT
GlobalMemoryStatusEx
HARDWARE\DESCRIPTION\System\CentralProcessor\0
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
Closed
Listening...
SYN Sent
SYN Received
Established
Fin Wait (1)
Fin Wait (2)
Close Wait
Closing...
Last ACK
Time Wait
Delete TCB
mozcrt19.dll
sqlite3.dll
nspr4.dll
plc4.dll
plds4.dll
nssutil3.dll
nss3.dll
softokn3.dll
nssdbm3.dll
msvcr100.dll
msvcp100.dll
msvcr120.dll
msvcp120.dll
api-ms-win-core-timezone-l1-1-0.dll
api-ms-win-core-file-l1-1-0.dll
api-ms-win-core-file-l2-1-0.dll
api-ms-win-core-localization-l1-2-0.dll
api-ms-win-core-synch-l1-2-0.dll
api-ms-win-core-processthreads-l1-1-1.dll
api-ms-win-core-file-l1-2-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-convert-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-multibyte-l1-1-0.dll
api-ms-win-crt-time-l1-1-0.dll
api-ms-win-crt-filesystem-l1-1-0.dll
api-ms-win-crt-environment-l1-1-0.dll
api-ms-win-crt-utility-l1-1-0.dll
api-ms-win-core-string-l1-1-0.dll
api-ms-win-crt-environment-l1-1-0.dll
api-ms-win-core-namedpipe-l1-1-0.dll
api-ms-win-core-handle-l1-1-0.dll
api-ms-win-core-heap-l1-1-0.dll
api-ms-win-core-libraryloader-l1-1-0.dll
api-ms-win-core-synch-l1-1-0.dll
api-ms-win-core-processthreads-l1-1-0.dll
api-ms-win-core-processenvironment-l1-1-0.dll
api-ms-win-core-datetime-l1-1-0.dll
api-ms-win-core-sysinfo-l1-1-0.dll
api-ms-win-core-console-l1-1-0.dll
api-ms-win-core-debug-l1-1-0.dll
api-ms-win-core-profile-l1-1-0.dll
api-ms-win-core-memory-l1-1-0.dll
api-ms-win-core-util-l1-1-0.dll
api-ms-win-core-rtlsupport-l1-1-0.dll
api-ms-win-core-interlocked-l1-1-0.dll
ucrtbase.dll
vcruntime140.dll
msvcp140.dll
Keys
RC4adbd1cc26a0a1dc768cb8ec655306d0e
Options
Keylogger directoryC:\Users\admin\AppData\Roaming\Logs\
Sleep15
Offline keyloggerTrue
Use a mutexFalse
Registry autorunFalse
Lock executableFalse
Delete originalFalse
Copy executableFalse
ActiveXFalse
ProxyDirect connection
Startup name-
Install path-
Mutex-
Credentials
Password1992
HostHostId-%Rand%
C2 (1)update92.publicvm.com:2020
Total events
773
Read events
773
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
856Tevst.exeC:\Users\admin\AppData\Local\Temp\aut715.tmpbinary
MD5:1AFA3F2ACA92C5D1EEB1EA5B9EFB1E08
SHA256:A01449E9AEFE76CEF133531A2B5971DBBADB57838ABE2F04C095FEB6808B4B64
856Tevst.exeC:\Users\admin\AppData\Local\Temp\nwfsrattext
MD5:B9157236B7935A3147069DD0F8B2123B
SHA256:590530EB11D791580B4D950788BD8D350FB7310E59917FD1173948497CF84EF6
880powershell.exeC:\Users\admin\AppData\Local\Temp\jso2aqho.xwp.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
880powershell.exeC:\Users\admin\AppData\Local\Temp\ua1fwvfb.0t0.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
880powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivedbf
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
880powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tevst.exeexecutable
MD5:0AFBB8A3C9A3D579C5BF1813FD65626D
SHA256:4576F169EB478B1D96D61A4937376AC745696E0496252DB28C1167DE2E610523
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3436
wscript.exe
38.79.142.66:2020
update92.publicvm.com
UTL-42-36113
US
malicious

DNS requests

Domain
IP
Reputation
update92.publicvm.com
  • 38.79.142.66
suspicious

Threats

No threats detected
No debug info