analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www.mediafire.com/file/psah91yvt6ux3yv/Pago_vencido.7z/file

Full analysis: https://app.any.run/tasks/8f122873-2b7f-4d5d-8af2-8ee9469cdca8
Verdict: Malicious activity
Threats:

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS.

Malware Trends Tracker     >>>
Analysis date: March 31, 2020, 11:49:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
netwire
rat
Indicators:
MD5:

B1D63599F99C828B4F7331656EE07DC0

SHA1:

E6E21724F80B247C0BB372DE949F5BF57CD34581

SHA256:

5ABCDEF83E59E3927C59E85950E5A395DFE60C28E16D250824486B084D06EAEB

SSDEEP:

3:N8DSLw3eGUonPFTKO7pHg:2OLw3eGxTK8pA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Pago vencido.exe (PID: 3196)
      • Pago vencido.exe (PID: 3036)
      • Host.exe (PID: 1724)
      • Host.exe (PID: 3780)
      • Pago vencido.exe (PID: 2944)
      • Pago vencido.exe (PID: 2792)
      • Pago vencido.exe (PID: 2784)
      • Pago vencido.exe (PID: 3580)

    • Changes the autorun value in the registry

      • Host.exe (PID: 3780)
      • Pago vencido.exe (PID: 2792)
      • Pago vencido.exe (PID: 3580)

    • NETWIRE was detected

      • Host.exe (PID: 3780)
      • Pago vencido.exe (PID: 2792)
      • Pago vencido.exe (PID: 3580)

    • Connects to CnC server

      • Pago vencido.exe (PID: 2792)
      • Host.exe (PID: 3780)
      • Pago vencido.exe (PID: 3580)

    • Changes settings of System certificates

      • Host.exe (PID: 3780)
      • Pago vencido.exe (PID: 3036)
      • Pago vencido.exe (PID: 3580)
      • Pago vencido.exe (PID: 2792)

  • SUSPICIOUS

    • Executed via COM

      • sdiagnhost.exe (PID: 2696)

    • Executable content was dropped or overwritten

      • msdt.exe (PID: 2220)
      • WinRAR.exe (PID: 3912)
      • Pago vencido.exe (PID: 3036)
      • WinRAR.exe (PID: 572)

    • Uses IPCONFIG.EXE to discover IP address

      • sdiagnhost.exe (PID: 2696)

    • Reads Internet Cache Settings

      • Pago vencido.exe (PID: 3036)
      • Host.exe (PID: 3780)
      • Pago vencido.exe (PID: 2792)
      • Pago vencido.exe (PID: 3580)

    • Application launched itself

      • Pago vencido.exe (PID: 3196)
      • Host.exe (PID: 1724)
      • Pago vencido.exe (PID: 2944)
      • Pago vencido.exe (PID: 2784)

    • Starts itself from another location

      • Pago vencido.exe (PID: 3036)

    • Creates files in the user directory

      • Pago vencido.exe (PID: 3036)
      • Pago vencido.exe (PID: 2792)

    • Adds / modifies Windows certificates

      • Pago vencido.exe (PID: 3036)
      • Pago vencido.exe (PID: 2792)
      • Host.exe (PID: 3780)
      • Pago vencido.exe (PID: 3580)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2564)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2564)
      • iexplore.exe (PID: 3252)

    • Application launched itself

      • iexplore.exe (PID: 2564)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3252)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2564)

    • Creates files in the user directory

      • iexplore.exe (PID: 3252)
      • iexplore.exe (PID: 2564)
      • opera.exe (PID: 2244)

    • Manual execution by user

      • opera.exe (PID: 2244)
      • explorer.exe (PID: 3852)
      • Pago vencido.exe (PID: 2784)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2564)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2564)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
59
Monitored processes
19
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start iexplore.exe iexplore.exe msdt.exe sdiagnhost.exe no specs ipconfig.exe no specs route.exe no specs makecab.exe no specs winrar.exe pago vencido.exe no specs pago vencido.exe host.exe no specs #NETWIRE host.exe pago vencido.exe no specs opera.exe #NETWIRE pago vencido.exe explorer.exe no specs winrar.exe pago vencido.exe no specs #NETWIRE pago vencido.exe

Process information

PID
CMD
Path
Indicators
Parent process
2564"C:\Program Files\Internet Explorer\iexplore.exe" https://www.mediafire.com/file/psah91yvt6ux3yv/Pago_vencido.7z/fileC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3252"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2564 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2220 -modal 393678 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDFC750.tmp -ep NetworkDiagnosticsWebC:\Windows\system32\msdt.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2696C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3624"C:\Windows\system32\ipconfig.exe" /allC:\Windows\system32\ipconfig.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
272"C:\Windows\system32\ROUTE.EXE" printC:\Windows\system32\ROUTE.EXEsdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Route Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
852"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddfC:\Windows\system32\makecab.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Cabinet Maker
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3912"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Pago vencido.7z"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3196"C:\Users\admin\AppData\Local\Temp\Rar$EXa3912.27857\Pago vencido.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3912.27857\Pago vencido.exeWinRAR.exe
User:
admin
Company:
WONDErware
Integrity Level:
MEDIUM
Description:
acredul
Exit code:
0
Version:
1.00
3036"C:\Users\admin\AppData\Local\Temp\Rar$EXa3912.27857\Pago vencido.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3912.27857\Pago vencido.exe
Pago vencido.exe
User:
admin
Company:
WONDErware
Integrity Level:
MEDIUM
Description:
acredul
Exit code:
0
Version:
1.00
Total events
22 917
Read events
2 957
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
60
Text files
40
Unknown types
15

Dropped files

PID
Process
Filename
Type
3252iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabA89C.tmp
MD5:
SHA256:
3252iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarA89D.tmp
MD5:
SHA256:
3252iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dder
MD5:85C2FF2165EE33525CA83481A1D34237
SHA256:DB74E85956D511E4B809197EEE82E89106DEADACE38242B714C47C361990F03D
3252iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\errorPageStrings[1]text
MD5:E3E4A98353F119B80B323302F26B78FA
SHA256:9466D620DC57835A2475F8F71E304F54AEE7160E134BA160BAAE0F19E5E71E66
3252iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CBB16B7A61CE4E298043181730D3CE9Bder
MD5:FCAB8978DFC89E03C4605B91B9F1C6D0
SHA256:E8D004CDEAA061C2574F2EA588FD7F923D7D8A810B1CE7BA59BA877CF18F4A03
3252iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CBB16B7A61CE4E298043181730D3CE9Bbinary
MD5:AE1B7307B24EB0B30757B8149A009F6D
SHA256:5203C35BE14BB39749FD8D73976E797EBBCAC5D3D7D562FDEDAE98A4968F81F9
2564iexplore.exeC:\Users\admin\AppData\Local\Temp\NDFC750.tmpbinary
MD5:F8D3A1FF8060AA6D84068453DA1CA0A0
SHA256:5D138CAEA8D343114358C6252317C370DCCB5BAABEE2697EE9C5B5C540F7CEDB
3252iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dbinary
MD5:56F3D0915D8468377F7E1688063E4B3B
SHA256:9F50FAE177E8C004AB8577F70DAFC2442E5A54D3F97E344AA9C2702B45364F80
3252iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\dnserror[1]html
MD5:73C70B34B5F8F158D38A94B9D7766515
SHA256:3EBD34328A4386B4EBA1F3D5F1252E7BD13744A6918720735020B4689C13FCF4
2220msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_6cc096a0-4bdf-4650-9d44-bf52a72c14dc\StartDPSService.ps1text
MD5:A660422059D953C6D681B53A6977100E
SHA256:D19677234127C38A52AEC23686775A8EB3F4E3A406F4A11804D97602D6C31813
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
44
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2244
opera.exe
GET
200
93.184.220.29:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
564 b
whitelisted
2564
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3252
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECECUTgfQsc%2BcBwNBMQNWQl0M%3D
US
der
471 b
whitelisted
2564
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2564
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2564
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
1052
svchost.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCCCR1UqpKNfC0
US
binary
5 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2564
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2564
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3252
iexplore.exe
151.139.128.14:80
ocsp.usertrust.com
Highwinds Network Group, Inc.
US
suspicious
3252
iexplore.exe
104.16.202.237:443
Cloudflare Inc
US
unknown
3252
iexplore.exe
205.196.123.46:443
download1358.mediafire.com
MediaFire, LLC
US
malicious
824
svchost.exe
104.16.202.237:443
Cloudflare Inc
US
unknown
3252
iexplore.exe
104.16.203.237:443
Cloudflare Inc
US
unknown
2564
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2564
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2564
iexplore.exe
72.21.81.200:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
www.mediafire.com
  • 185.244.30.160
shared
ocsp.usertrust.com
  • 151.139.128.14
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
crl.usertrust.com
  • 151.139.128.14
whitelisted
download1358.mediafire.com
  • 205.196.123.46
malicious
ocsp.sectigo.com
  • 151.139.128.14
whitelisted
iecvlist.microsoft.com
  • 72.21.81.200
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
1052
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1052
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2792
Pago vencido.exe
A Network Trojan was detected
MALWARE [PTsecurity] Netwire.RAT
3580
Pago vencido.exe
A Network Trojan was detected
MALWARE [PTsecurity] Netwire.RAT
1052
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3780
Host.exe
A Network Trojan was detected
MALWARE [PTsecurity] Netwire.RAT
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.mediafire.com/file/psah91yvt6ux3yv/Pago_vencido.7z/file