URL: | https://www.mediafire.com/file/psah91yvt6ux3yv/Pago_vencido.7z/file |
Full analysis: | https://app.any.run/tasks/8f122873-2b7f-4d5d-8af2-8ee9469cdca8 |
Verdict: | Malicious activity |
Threats: | Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS. |
Analysis date: | March 31, 2020, 11:49:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | B1D63599F99C828B4F7331656EE07DC0 |
SHA1: | E6E21724F80B247C0BB372DE949F5BF57CD34581 |
SHA256: | 5ABCDEF83E59E3927C59E85950E5A395DFE60C28E16D250824486B084D06EAEB |
SSDEEP: | 3:N8DSLw3eGUonPFTKO7pHg:2OLw3eGxTK8pA |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2564 | "C:\Program Files\Internet Explorer\iexplore.exe" https://www.mediafire.com/file/psah91yvt6ux3yv/Pago_vencido.7z/file | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3252 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2564 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
2220 | -modal 393678 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDFC750.tmp -ep NetworkDiagnosticsWeb | C:\Windows\system32\msdt.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Diagnostics Troubleshooting Wizard Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2696 | C:\Windows\System32\sdiagnhost.exe -Embedding | C:\Windows\System32\sdiagnhost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Scripted Diagnostics Native Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3624 | "C:\Windows\system32\ipconfig.exe" /all | C:\Windows\system32\ipconfig.exe | — | sdiagnhost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: IP Configuration Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
272 | "C:\Windows\system32\ROUTE.EXE" print | C:\Windows\system32\ROUTE.EXE | — | sdiagnhost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Route Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
852 | "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf | C:\Windows\system32\makecab.exe | — | sdiagnhost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Cabinet Maker Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3912 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Pago vencido.7z" | C:\Program Files\WinRAR\WinRAR.exe | iexplore.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3196 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3912.27857\Pago vencido.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3912.27857\Pago vencido.exe | — | WinRAR.exe |
User: admin Company: WONDErware Integrity Level: MEDIUM Description: acredul Exit code: 0 Version: 1.00 | ||||
3036 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3912.27857\Pago vencido.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3912.27857\Pago vencido.exe | Pago vencido.exe | |
User: admin Company: WONDErware Integrity Level: MEDIUM Description: acredul Exit code: 0 Version: 1.00 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3252 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\CabA89C.tmp | — | |
MD5:— | SHA256:— | |||
3252 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\TarA89D.tmp | — | |
MD5:— | SHA256:— | |||
3252 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D | der | |
MD5:85C2FF2165EE33525CA83481A1D34237 | SHA256:DB74E85956D511E4B809197EEE82E89106DEADACE38242B714C47C361990F03D | |||
3252 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\errorPageStrings[1] | text | |
MD5:E3E4A98353F119B80B323302F26B78FA | SHA256:9466D620DC57835A2475F8F71E304F54AEE7160E134BA160BAAE0F19E5E71E66 | |||
3252 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CBB16B7A61CE4E298043181730D3CE9B | der | |
MD5:FCAB8978DFC89E03C4605B91B9F1C6D0 | SHA256:E8D004CDEAA061C2574F2EA588FD7F923D7D8A810B1CE7BA59BA877CF18F4A03 | |||
3252 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CBB16B7A61CE4E298043181730D3CE9B | binary | |
MD5:AE1B7307B24EB0B30757B8149A009F6D | SHA256:5203C35BE14BB39749FD8D73976E797EBBCAC5D3D7D562FDEDAE98A4968F81F9 | |||
2564 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\NDFC750.tmp | binary | |
MD5:F8D3A1FF8060AA6D84068453DA1CA0A0 | SHA256:5D138CAEA8D343114358C6252317C370DCCB5BAABEE2697EE9C5B5C540F7CEDB | |||
3252 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D | binary | |
MD5:56F3D0915D8468377F7E1688063E4B3B | SHA256:9F50FAE177E8C004AB8577F70DAFC2442E5A54D3F97E344AA9C2702B45364F80 | |||
3252 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\dnserror[1] | html | |
MD5:73C70B34B5F8F158D38A94B9D7766515 | SHA256:3EBD34328A4386B4EBA1F3D5F1252E7BD13744A6918720735020B4689C13FCF4 | |||
2220 | msdt.exe | C:\Users\admin\AppData\Local\Temp\SDIAG_6cc096a0-4bdf-4650-9d44-bf52a72c14dc\StartDPSService.ps1 | text | |
MD5:A660422059D953C6D681B53A6977100E | SHA256:D19677234127C38A52AEC23686775A8EB3F4E3A406F4A11804D97602D6C31813 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2244 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 564 b | whitelisted |
2564 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
3252 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECECUTgfQsc%2BcBwNBMQNWQl0M%3D | US | der | 471 b | whitelisted |
2564 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
2564 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
2564 | iexplore.exe | GET | 200 | 13.107.21.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
1052 | svchost.exe | GET | 200 | 172.217.16.131:80 | http://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCCCR1UqpKNfC0 | US | binary | 5 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2564 | iexplore.exe | 13.107.21.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2564 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3252 | iexplore.exe | 151.139.128.14:80 | ocsp.usertrust.com | Highwinds Network Group, Inc. | US | suspicious |
3252 | iexplore.exe | 104.16.202.237:443 | — | Cloudflare Inc | US | unknown |
3252 | iexplore.exe | 205.196.123.46:443 | download1358.mediafire.com | MediaFire, LLC | US | malicious |
824 | svchost.exe | 104.16.202.237:443 | — | Cloudflare Inc | US | unknown |
3252 | iexplore.exe | 104.16.203.237:443 | — | Cloudflare Inc | US | unknown |
2564 | iexplore.exe | 152.199.19.161:443 | r20swj13mr.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2564 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2564 | iexplore.exe | 72.21.81.200:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.mediafire.com |
| shared |
ocsp.usertrust.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
crl.usertrust.com |
| whitelisted |
download1358.mediafire.com |
| malicious |
ocsp.sectigo.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1052 | svchost.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
1052 | svchost.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
2792 | Pago vencido.exe | A Network Trojan was detected | MALWARE [PTsecurity] Netwire.RAT |
3580 | Pago vencido.exe | A Network Trojan was detected | MALWARE [PTsecurity] Netwire.RAT |
1052 | svchost.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
3780 | Host.exe | A Network Trojan was detected | MALWARE [PTsecurity] Netwire.RAT |