analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Payment Draft.cab

Full analysis: https://app.any.run/tasks/d15b0824-b57d-4606-9a1b-45186e28bea7
Verdict: Malicious activity
Threats:

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS.

Malware Trends Tracker     >>>
Analysis date: February 21, 2020, 16:13:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
autoit
trojan
netwire
Indicators:
MIME: application/vnd.ms-cab-compressed
File info: Microsoft Cabinet archive data, 1228569 bytes, 1 file
MD5:

2EE7627EE56D2B11D10D7D780D235F92

SHA1:

CF3469D31AB8FAC7FCA9B6D4513E57455310B410

SHA256:

6A80B05A4A59B8EE0E1985754F0FEA95D877E114C6B6BAE720CDDB57E8257874

SSDEEP:

24576:FY9vvaLd7j3tz4fTWjv+gEURlWACSf3bNiCWAXz6h3Bo661d7c/1RMWaMP3af0on:y9vvI7zyfTuxEUQCWSmhxo661dw/XMxX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Payment Draft.exe (PID: 3692)
      • hkub.pif (PID: 2080)
      • RegSvcs.exe (PID: 2248)

    • NETWIRE was detected

      • RegSvcs.exe (PID: 2248)

    • Changes the autorun value in the registry

      • hkub.pif (PID: 2080)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Payment Draft.exe (PID: 3692)
      • WinRAR.exe (PID: 3620)
      • hkub.pif (PID: 2080)

    • Starts application with an unusual extension

      • Payment Draft.exe (PID: 3692)

    • Drop AutoIt3 executable file

      • Payment Draft.exe (PID: 3692)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.cab | Microsoft Cabinet Archive (100)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start winrar.exe payment  draft.exe hkub.pif #NETWIRE regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
3620"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Payment Draft.cab"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3692"C:\Users\admin\AppData\Local\Temp\Rar$EXa3620.16773\Payment Draft.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3620.16773\Payment Draft.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2080"C:\Users\admin\AppData\Local\Temp\62474426\hkub.pif" porrql.ihcC:\Users\admin\AppData\Local\Temp\62474426\hkub.pif
Payment Draft.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 8, 1
2248"C:\Users\admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\admin\AppData\Local\Temp\RegSvcs.exe
hkub.pif
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.7.3062.0 built by: NET472REL1
Total events
818
Read events
798
Write events
20
Delete events
0

Modification events

(PID) Process:(3620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3620) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Payment Draft.cab
(PID) Process:(3620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
3
Suspicious files
0
Text files
66
Unknown types
0

Dropped files

PID
Process
Filename
Type
3692Payment Draft.exeC:\Users\admin\AppData\Local\Temp\62474426\porrql.ihc
MD5:
SHA256:
3692Payment Draft.exeC:\Users\admin\AppData\Local\Temp\62474426\mfsrhdujp.txttext
MD5:67C2B9917B1162B86D0704C0D33B1EE3
SHA256:2771FFC6D14FC42189E7D96503FF76F1F25F3C3506726739BE18E1975F63EACF
3692Payment Draft.exeC:\Users\admin\AppData\Local\Temp\62474426\hlnhlf.exetext
MD5:C92B19115CE190DF81249FA8C797FF38
SHA256:3F1D9E8120BC82ADEBEC6CBBE8DA8B7D78A43577B0570A29A48F8455AB435F0C
3620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3620.16773\Payment Draft.exeexecutable
MD5:A794516C77B3BB049C463C1BDC5D5D3E
SHA256:4CE5136B29D5792C2CE74226D80CEB122CE4FF76AA787BD16C1D333F4085D952
3692Payment Draft.exeC:\Users\admin\AppData\Local\Temp\62474426\hahaiwpm.dattext
MD5:20D2AB824AF251DA26C92AA22993B319
SHA256:10B734A8F9E4212C98648D491FB6C6B8D0B664CCEBF064D56250ED8C2E9E4065
3692Payment Draft.exeC:\Users\admin\AppData\Local\Temp\62474426\swco.icmtext
MD5:4C9D402C46A621FBA9D23B78E0BCB1A3
SHA256:53517F381FA528F5122B930464E923FB0D9AD30C4775E61CDAA2C92B882EC231
3692Payment Draft.exeC:\Users\admin\AppData\Local\Temp\62474426\ambh.icmtext
MD5:19A55CB62675833EECACCADBACFC67B4
SHA256:5FF947E046BD2AD453FA3C5DBC6F7E4A0C25EC970EE9C535F0663C2DAB645AAA
3692Payment Draft.exeC:\Users\admin\AppData\Local\Temp\62474426\purc.ppttext
MD5:178EAFDEDD97AA8576351417DB6F20E5
SHA256:654D2F26E28088E37CDB36E71CEDE7C5F6708C6A1BE264ABF8A283F2E327CB2D
3692Payment Draft.exeC:\Users\admin\AppData\Local\Temp\62474426\tkes.xlstext
MD5:C5D12E596A14F7E91308CAE0AAD6CE1D
SHA256:2EB165F738B8B0F4BBC224B0CF0CCCDDC445F9BFD48E7F47E59040B0F3C995D3
3692Payment Draft.exeC:\Users\admin\AppData\Local\Temp\62474426\qnkxatwlbc.pdftext
MD5:507D1212094C6039ED8D92A624985BCD
SHA256:51109D894C44CDA77571EDACF830DD8B1BAD75A4538C8858B477EB56AF9F7517
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2248
RegSvcs.exe
91.189.180.213:3365
ServeTheWorld AS
NO
malicious

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Payment Draft.cab