File name: | QUATATION PAID.ace |
Full analysis: | https://app.any.run/tasks/4b4282c1-2db3-4c18-9505-2a81ef6ec2d5 |
Verdict: | Malicious activity |
Threats: | Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS. |
Analysis date: | April 24, 2019, 06:24:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solid |
MD5: | 8A0F4E30AEB06C587639D29E7015A099 |
SHA1: | DC63B5811718C2D3DE99D58C6FB3E2B4A6F21BCE |
SHA256: | 99DADD8757FC9ED6B61297E4EED2D874B31802BB5FC5E4077567559FD6B7EE5F |
SSDEEP: | 6144:fYPRTTDMr/NL3lAQScogB2YFa9lL1q5qKvUb1jse1VhCGdH5+YLvh:QPNIzMQrL2Y89lhqYKcpiGdH5zh |
.ace | | | ACE compressed archive (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2580 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\QUATATION PAID.ace" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2104 | "C:\Users\admin\Desktop\QUATATION PAID.exe" | C:\Users\admin\Desktop\QUATATION PAID.exe | — | explorer.exe |
User: admin Company: IRRECONCILIABLY Integrity Level: MEDIUM Description: Samala Exit code: 0 Version: 1.09.0009 | ||||
1968 | C:\Users\admin\Desktop\QUATATION PAID.exe" | C:\Users\admin\Desktop\QUATATION PAID.exe | QUATATION PAID.exe | |
User: admin Company: IRRECONCILIABLY Integrity Level: MEDIUM Description: Samala Exit code: 0 Version: 1.09.0009 | ||||
2980 | "C:\Users\admin\AppData\Roaming\Install\Host.exe" | C:\Users\admin\AppData\Roaming\Install\Host.exe | — | QUATATION PAID.exe |
User: admin Company: IRRECONCILIABLY Integrity Level: MEDIUM Description: Samala Exit code: 0 Version: 1.09.0009 | ||||
3592 | C:\Users\admin\AppData\Roaming\Install\Host.exe" | C:\Users\admin\AppData\Roaming\Install\Host.exe | Host.exe | |
User: admin Company: IRRECONCILIABLY Integrity Level: MEDIUM Description: Samala Version: 1.09.0009 |
(PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\QUATATION PAID.ace | |||
(PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0 |
Operation: | write | Name: | Count |
Value: 0 | |||
(PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0 |
Operation: | write | Name: | Name |
Value: 542D4B42647265644B76737A7E794B566767537663764B5B7874767B4B43727A674B4642564356435E58593747565E53397674721717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171700 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1968 | QUATATION PAID.exe | C:\Users\admin\AppData\Roaming\Install\Host.exe | executable | |
MD5:145890A566EFFE77E017E50F1F0DC344 | SHA256:E5D29DFF5DC227A3B4446BABAA6D41CC82B89F738232B4935847FA923114EAF8 | |||
2580 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2580.8853\QUATATION PAID.exe | executable | |
MD5:145890A566EFFE77E017E50F1F0DC344 | SHA256:E5D29DFF5DC227A3B4446BABAA6D41CC82B89F738232B4935847FA923114EAF8 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3592 | Host.exe | 91.192.100.57:32144 | duc1234.duckdns.org | SOFTplus Entwicklungen GmbH | CH | malicious |
Domain | IP | Reputation |
---|---|---|
duc1234.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
3592 | Host.exe | A Network Trojan was detected | MALWARE [PTsecurity] Netwire.RAT |
3592 | Host.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
3592 | Host.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
3592 | Host.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
3592 | Host.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
3592 | Host.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |