download: | file |
Full analysis: | https://app.any.run/tasks/87adf645-507a-4654-9248-2472d74cc9e8 |
Verdict: | Malicious activity |
Threats: | Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS. |
Analysis date: | October 14, 2019, 12:38:26 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-7z-compressed |
File info: | 7-zip archive data, version 0.4 |
MD5: | E9CECDB7171B5C3AC9A45AD2C9A8245F |
SHA1: | 57AA8CB91200C06D92A10DE8EF41B9B68C3822E5 |
SHA256: | DA80A512664420763FF13B739E5E31B3D4D5DDE1C7EFB80769079EA2D2B864CC |
SSDEEP: | 6144:FVj2Fjplll7NNIj/+r6VIIb3OjPIFVNJyiiC9OQnUc+fYmvEERgx4pFjPIfPOPMM:FhALl7H8+QIIb3cyhOCUcfmvhpJoPOPp |
.7z | | | 7-Zip compressed archive (v0.4) (57.1) |
---|---|---|
.7z | | | 7-Zip compressed archive (gen) (42.8) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2752 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\file.7z" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
4004 | "C:\Users\admin\Desktop\REMITTANCE COPY FOR OCT.exe" | C:\Users\admin\Desktop\REMITTANCE COPY FOR OCT.exe | — | explorer.exe |
User: admin Company: Mccaysladykilling4 Integrity Level: MEDIUM Exit code: 0 Version: 1.01.0004 | ||||
2840 | "C:\Users\admin\Desktop\REMITTANCE COPY FOR OCT.exe" | C:\Users\admin\Desktop\REMITTANCE COPY FOR OCT.exe | REMITTANCE COPY FOR OCT.exe | |
User: admin Company: Mccaysladykilling4 Integrity Level: MEDIUM Exit code: 0 Version: 1.01.0004 | ||||
3136 | "C:\Users\admin\AppData\Roaming\Install\Host.exe" | C:\Users\admin\AppData\Roaming\Install\Host.exe | — | REMITTANCE COPY FOR OCT.exe |
User: admin Company: Mccaysladykilling4 Integrity Level: MEDIUM Exit code: 0 Version: 1.01.0004 | ||||
3360 | "C:\Users\admin\AppData\Roaming\Install\Host.exe" | C:\Users\admin\AppData\Roaming\Install\Host.exe | Host.exe | |
User: admin Company: Mccaysladykilling4 Integrity Level: MEDIUM Version: 1.01.0004 |
(PID) Process: | (2752) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2752) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2752) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2752) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\file.7z | |||
(PID) Process: | (2752) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2752) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2752) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2752) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2840) REMITTANCE COPY FOR OCT.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2840) REMITTANCE COPY FOR OCT.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2752.29304\REMITTANCE COPY FOR OCT.exe | executable | |
MD5:BDBDB1EA562EEB74D1D4E9B9A8C0595D | SHA256:D9BFF1AE2F4859AE2521F0869F7E9863B52EA1D81E537BB0CA003BF730696FA7 | |||
2840 | REMITTANCE COPY FOR OCT.exe | C:\Users\admin\AppData\Roaming\Install\Host.exe | executable | |
MD5:BDBDB1EA562EEB74D1D4E9B9A8C0595D | SHA256:D9BFF1AE2F4859AE2521F0869F7E9863B52EA1D81E537BB0CA003BF730696FA7 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3360 | Host.exe | 79.134.225.119:3369 | fucktoto.duckdns.org | Andreas Fink trading as Fink Telecom Services | CH | malicious |
Domain | IP | Reputation |
---|---|---|
fucktoto.duckdns.org |
| malicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |