File name:

SoldierCards NEW.rar

Full analysis: https://app.any.run/tasks/3473cc83-0138-4e4e-9b81-efb9d796f025
Verdict: Malicious activity
Threats:

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS.

Malware Trends Tracker     >>>
Analysis date: December 15, 2018, 10:32:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
netwire
trojan
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

EA124110EC1CA5EF9856C69C2BCFE2CC

SHA1:

5369F34AB536733EE74C8C4C7EA1E315D82B2245

SHA256:

E05C3B47A45BEDFC3391E52013E03FA23D36320384320CA5BC9628342F6DBBCD

SSDEEP:

6144:dJmbqti8vEVxpXNKFIJTknnn1WU4j3wOTimklfPxLpEoubRXw+IX7DXyTO4SZKqt:dYbhAeNkFT1W3TwxLpEou1g+YbyTO4gt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • SoldierCards .exe (PID: 2940)
      • svchost.exe (PID: 4012)
      • sc.exe (PID: 4068)
      • svchost.exe (PID: 3124)
      • SoldierCards .exe (PID: 3564)
      • SoldierCards.exe (PID: 2564)
      • SoldierCards .exe (PID: 2292)
      • SoldierCards .exe (PID: 3148)
      • SoldierCards.exe (PID: 3808)
      • sc.exe (PID: 4028)
      • sc.exe (PID: 3740)
      • svchost.exe (PID: 3136)
      • svchost.exe (PID: 3260)
      • SoldierCards .exe (PID: 3176)
      • SoldierCards .exe (PID: 2116)
      • sc.exe (PID: 3336)
      • sc.exe (PID: 2692)
      • svchost.exe (PID: 2560)
      • svchost.exe (PID: 3096)
      • SoldierCards.exe (PID: 4024)
      • sc.exe (PID: 2740)

    • Changes the autorun value in the registry

      • svchost.exe (PID: 4012)
      • svchost.exe (PID: 3136)
      • svchost.exe (PID: 3096)

    • NETWIRE was detected

      • svchost.exe (PID: 4012)
      • svchost.exe (PID: 3136)
      • svchost.exe (PID: 3096)

    • Connects to CnC server

      • svchost.exe (PID: 4012)

  • SUSPICIOUS

    • Application launched itself

      • SoldierCards .exe (PID: 2940)
      • cmd.exe (PID: 2420)
      • svchost.exe (PID: 3260)
      • sc.exe (PID: 4028)
      • SoldierCards .exe (PID: 2116)
      • cmd.exe (PID: 2892)
      • svchost.exe (PID: 3124)

    • Creates files in the user directory

      • sc.exe (PID: 4068)
      • svchost.exe (PID: 4012)
      • sc.exe (PID: 3740)
      • svchost.exe (PID: 3136)
      • sc.exe (PID: 3336)
      • svchost.exe (PID: 3096)

    • Starts CMD.EXE for commands execution

      • svchost.exe (PID: 4012)
      • cmd.exe (PID: 2420)
      • svchost.exe (PID: 3136)
      • cmd.exe (PID: 2892)
      • svchost.exe (PID: 3096)

    • Executable content was dropped or overwritten

      • SoldierCards .exe (PID: 3564)
      • SoldierCards .exe (PID: 3148)
      • sc.exe (PID: 3740)
      • SoldierCards .exe (PID: 3176)
      • sc.exe (PID: 3336)
      • sc.exe (PID: 4068)

    • Connects to unusual port

      • svchost.exe (PID: 4012)
      • svchost.exe (PID: 3136)
      • svchost.exe (PID: 3096)

    • Creates executable files which already exist in Windows

      • sc.exe (PID: 3740)
      • sc.exe (PID: 3336)
      • sc.exe (PID: 4068)

    • Starts itself from another location

      • sc.exe (PID: 3336)
      • sc.exe (PID: 4068)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 342086
UncompressedSize: 859648
OperatingSystem: Win32
ModifyDate: 2018:12:15 11:57:14
PackingMethod: Normal
ArchivedFileName: SoldierCards .exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
79
Monitored processes
32
Malicious processes
18
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe no specs soldiercards .exe soldiercards .exe soldiercards.exe no specs sc.exe no specs sc.exe svchost.exe no specs #NETWIRE svchost.exe explorer.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs soldiercards .exe no specs soldiercards .exe soldiercards.exe no specs sc.exe no specs sc.exe svchost.exe no specs #NETWIRE svchost.exe cmd.exe no specs ping.exe no specs cmd.exe no specs soldiercards .exe no specs soldiercards .exe soldiercards.exe no specs sc.exe no specs sc.exe svchost.exe no specs #NETWIRE svchost.exe cmd.exe no specs ping.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
904cmd /c del "C:\Users\admin\AppData\Local\Temp\mGk2U0c0s.bat"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2116"C:\Users\admin\Desktop\SoldierCards .exe" C:\Users\admin\Desktop\SoldierCards .exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\soldiercards .exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2292"C:\Users\admin\Desktop\SoldierCards .exe" C:\Users\admin\Desktop\SoldierCards .exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\soldiercards .exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2420C:\Windows\system32\cmd.exe /c "C:\Users\admin\AppData\Local\Temp\mGk2U0c0s.bat"C:\Windows\system32\cmd.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2560"C:\Users\admin\AppData\Roaming\Microsoft\Network\svchost.exe"C:\Users\admin\AppData\Roaming\Microsoft\Network\svchost.exesc.exe
User:
admin
Company:
New Program
Integrity Level:
MEDIUM
Description:
New Program
Exit code:
1
Version:
8.3.3.6
Modules
Images
c:\users\admin\appdata\roaming\microsoft\network\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2564"C:\Users\admin\AppData\Local\Temp\SoldierCards.exe" 0C:\Users\admin\AppData\Local\Temp\SoldierCards.exeSoldierCards .exe
User:
admin
Company:
SoldierCrimes
Integrity Level:
HIGH
Description:
SoldierCards
Exit code:
3221225786
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\soldiercards.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2572"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2596cmd /c del "C:\Users\admin\AppData\Local\Temp\Gaa2o0uuC4.bat"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2672"C:\Windows\System32\NOTEPAD.EXE" C:\Users\admin\Desktop\cCuik6m8i.batC:\Windows\System32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2692"C:\Users\admin\AppData\Local\Temp\sc.exe" 0C:\Users\admin\AppData\Local\Temp\sc.exeSoldierCards .exe
User:
admin
Company:
New Program
Integrity Level:
MEDIUM
Description:
New Program
Exit code:
1
Version:
8.3.3.6
Modules
Images
c:\users\admin\appdata\local\temp\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
Total events
1 542
Read events
1 503
Write events
35
Delete events
4

Modification events

(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3400) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\SoldierCards NEW.rar
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\AppData\Local\Temp
Executable files
8
Suspicious files
4
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3400WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3400.45843\SoldierCards .exe
MD5:
SHA256:
3564SoldierCards .exeC:\Users\admin\AppData\Local\Temp\SoldierCards.exeexecutable
MD5:
SHA256:
3148SoldierCards .exeC:\Users\admin\AppData\Local\Temp\SoldierCards.exeexecutable
MD5:
SHA256:
4012svchost.exeC:\Users\admin\AppData\Roaming\Microsoft\Network\Settings.inibinary
MD5:
SHA256:
4068sc.exeC:\Users\admin\AppData\Roaming\Microsoft\Network\svchost.exeexecutable
MD5:
SHA256:
3136svchost.exeC:\Users\admin\AppData\Local\Temp\Gaa2o0uuC4.battext
MD5:
SHA256:
4012svchost.exeC:\Users\admin\AppData\Local\Temp\mGk2U0c0s.battext
MD5:
SHA256:
3564SoldierCards .exeC:\Users\admin\AppData\Local\Temp\sc.exeexecutable
MD5:
SHA256:
4012svchost.exeC:\Users\admin\AppData\Roaming\Microsoft\Network\Logs\15-12-2018binary
MD5:
SHA256:
3148SoldierCards .exeC:\Users\admin\AppData\Local\Temp\sc.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
1
Threats
7

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3136
svchost.exe
37.228.134.84:8999
playhardgopro.life
Mike Kaldig
DE
suspicious
3096
svchost.exe
37.228.134.84:8999
playhardgopro.life
Mike Kaldig
DE
suspicious
4012
svchost.exe
37.228.134.84:8999
playhardgopro.life
Mike Kaldig
DE
suspicious

DNS requests

Domain
IP
Reputation
playhardgopro.life
  • 37.228.134.84
malicious

Threats

PID
Process
Class
Message
4012
svchost.exe
A Network Trojan was detected
SC SPYWARE Spyware Weecnaw Win32
4012
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Netwire.RAT
4012
svchost.exe
A Network Trojan was detected
ET TROJAN Possible Netwire RAT Client HeartBeat C2
3136
svchost.exe
A Network Trojan was detected
SC SPYWARE Spyware Weecnaw Win32
3136
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Netwire.RAT
3096
svchost.exe
A Network Trojan was detected
SC SPYWARE Spyware Weecnaw Win32
3096
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Netwire.RAT
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SoldierCards NEW.rar