analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

file

Full analysis: https://app.any.run/tasks/87adf645-507a-4654-9248-2472d74cc9e8
Verdict: Malicious activity
Threats:

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 12:38:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
torjan
netwire
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

E9CECDB7171B5C3AC9A45AD2C9A8245F

SHA1:

57AA8CB91200C06D92A10DE8EF41B9B68C3822E5

SHA256:

DA80A512664420763FF13B739E5E31B3D4D5DDE1C7EFB80769079EA2D2B864CC

SSDEEP:

6144:FVj2Fjplll7NNIj/+r6VIIb3OjPIFVNJyiiC9OQnUc+fYmvEERgx4pFjPIfPOPMM:FhALl7H8+QIIb3cyhOCUcfmvhpJoPOPp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • REMITTANCE COPY FOR OCT.exe (PID: 4004)
      • REMITTANCE COPY FOR OCT.exe (PID: 2840)
      • Host.exe (PID: 3360)
      • Host.exe (PID: 3136)

    • Changes the autorun value in the registry

      • Host.exe (PID: 3360)

    • NETWIRE was detected

      • Host.exe (PID: 3360)

  • SUSPICIOUS

    • Application launched itself

      • REMITTANCE COPY FOR OCT.exe (PID: 4004)
      • Host.exe (PID: 3136)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2752)
      • REMITTANCE COPY FOR OCT.exe (PID: 2840)

    • Creates files in the user directory

      • REMITTANCE COPY FOR OCT.exe (PID: 2840)

    • Starts itself from another location

      • REMITTANCE COPY FOR OCT.exe (PID: 2840)

    • Connects to unusual port

      • Host.exe (PID: 3360)

  • INFO

    • Manual execution by user

      • REMITTANCE COPY FOR OCT.exe (PID: 4004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe remittance copy for oct.exe no specs remittance copy for oct.exe host.exe no specs #NETWIRE host.exe

Process information

PID
CMD
Path
Indicators
Parent process
2752"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\file.7z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
4004"C:\Users\admin\Desktop\REMITTANCE COPY FOR OCT.exe" C:\Users\admin\Desktop\REMITTANCE COPY FOR OCT.exeexplorer.exe
User:
admin
Company:
Mccaysladykilling4
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.01.0004
2840"C:\Users\admin\Desktop\REMITTANCE COPY FOR OCT.exe" C:\Users\admin\Desktop\REMITTANCE COPY FOR OCT.exe
REMITTANCE COPY FOR OCT.exe
User:
admin
Company:
Mccaysladykilling4
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.01.0004
3136"C:\Users\admin\AppData\Roaming\Install\Host.exe" C:\Users\admin\AppData\Roaming\Install\Host.exeREMITTANCE COPY FOR OCT.exe
User:
admin
Company:
Mccaysladykilling4
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.01.0004
3360"C:\Users\admin\AppData\Roaming\Install\Host.exe" C:\Users\admin\AppData\Roaming\Install\Host.exe
Host.exe
User:
admin
Company:
Mccaysladykilling4
Integrity Level:
MEDIUM
Version:
1.01.0004
Total events
790
Read events
763
Write events
27
Delete events
0

Modification events

(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2752) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\file.7z
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2840) REMITTANCE COPY FOR OCT.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2840) REMITTANCE COPY FOR OCT.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2752WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2752.29304\REMITTANCE COPY FOR OCT.exeexecutable
MD5:BDBDB1EA562EEB74D1D4E9B9A8C0595D
SHA256:D9BFF1AE2F4859AE2521F0869F7E9863B52EA1D81E537BB0CA003BF730696FA7
2840REMITTANCE COPY FOR OCT.exeC:\Users\admin\AppData\Roaming\Install\Host.exeexecutable
MD5:BDBDB1EA562EEB74D1D4E9B9A8C0595D
SHA256:D9BFF1AE2F4859AE2521F0869F7E9863B52EA1D81E537BB0CA003BF730696FA7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
5
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3360
Host.exe
79.134.225.119:3369
fucktoto.duckdns.org
Andreas Fink trading as Fink Telecom Services
CH
malicious

DNS requests

Domain
IP
Reputation
fucktoto.duckdns.org
  • 79.134.225.119
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
file