download: | file |
Full analysis: | https://app.any.run/tasks/5ac17d15-2eca-45eb-823f-fe85c29b250c |
Verdict: | Malicious activity |
Threats: | Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS. |
Analysis date: | September 19, 2019, 05:53:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-7z-compressed |
File info: | 7-zip archive data, version 0.4 |
MD5: | AC95B698CD5875323D5A68798BC0F240 |
SHA1: | 1D783115A32945F1627172767A2067F7F44C7A3E |
SHA256: | A7576A2050890B0A21239257CD83BF4F8F0F04EDF8E658895C44D6534799F096 |
SSDEEP: | 6144:sOyA/Twki70GbVRliHkIdDv8Gq+RUPG/s8ZYX0uqCRWgfudo+uFa1:szwSR3iET2UO0uurRpfuKVs |
.7z | | | 7-Zip compressed archive (v0.4) (57.1) |
---|---|---|
.7z | | | 7-Zip compressed archive (gen) (42.8) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2864 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\file.7z" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1576 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2864.47611\invoice paid wire copy.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2864.47611\invoice paid wire copy.exe | — | WinRAR.exe |
User: admin Company: SOLVOLYZEDCATHION9 Integrity Level: MEDIUM Description: SOLVOLYZEDdungbird Exit code: 0 Version: 1.06.0001 | ||||
3212 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2864.47611\invoice paid wire copy.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2864.47611\invoice paid wire copy.exe | invoice paid wire copy.exe | |
User: admin Company: SOLVOLYZEDCATHION9 Integrity Level: MEDIUM Description: SOLVOLYZEDdungbird Exit code: 0 Version: 1.06.0001 | ||||
2912 | "C:\Users\admin\AppData\Roaming\Install\Host.exe" | C:\Users\admin\AppData\Roaming\Install\Host.exe | — | invoice paid wire copy.exe |
User: admin Company: SOLVOLYZEDCATHION9 Integrity Level: MEDIUM Description: SOLVOLYZEDdungbird Exit code: 0 Version: 1.06.0001 | ||||
2280 | "C:\Users\admin\AppData\Roaming\Install\Host.exe" | C:\Users\admin\AppData\Roaming\Install\Host.exe | Host.exe | |
User: admin Company: SOLVOLYZEDCATHION9 Integrity Level: MEDIUM Description: SOLVOLYZEDdungbird Version: 1.06.0001 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2864 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2864.47611\invoice paid wire copy.exe | executable | |
MD5:B25CBA10325EF3572CE235F8E7F9AC1B | SHA256:D6E2619EB28A5FBF970DF2BB1FCC82DA34D54803FCD044F4C3EE7FE2B6555758 | |||
3212 | invoice paid wire copy.exe | C:\Users\admin\AppData\Roaming\Install\Host.exe | executable | |
MD5:B25CBA10325EF3572CE235F8E7F9AC1B | SHA256:D6E2619EB28A5FBF970DF2BB1FCC82DA34D54803FCD044F4C3EE7FE2B6555758 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2280 | Host.exe | 185.165.153.219:3366 | gbam0001.duckdns.org | — | NL | malicious |
Domain | IP | Reputation |
---|---|---|
gbam0001.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
2280 | Host.exe | A Network Trojan was detected | MALWARE [PTsecurity] Netwire.RAT |