Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_0040F090 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
0_2_0040F090 |
Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_004101F0 CryptUnprotectData,LocalFree, |
0_2_004101F0 |
Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_0040DEC0 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,LocalFree,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,LocalFree,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA, |
0_2_0040DEC0 |
Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_004074C0 SetErrorMode,FindFirstFileA,FindNextFileA,FileTimeToSystemTime,FindClose, |
0_2_004074C0 |
Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_004080E0 GetFileAttributesA,SetErrorMode,FindFirstFileA,FindNextFileA,FindClose, |
0_2_004080E0 |
Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_004078A0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose, |
0_2_004078A0 |
Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_004159E0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose, |
0_2_004159E0 |
Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_0040FA80 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,strlen, |
0_2_0040FA80 |
Source: 615.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown |
Source: 615.exe, type: SAMPLE |
Matched rule: Detects unspecified malware sample Author: Florian Roth |
Source: 615.exe, type: SAMPLE |
Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group |
Source: 615.exe, type: SAMPLE |
Matched rule: Detects NetWire RAT Author: ditekSHen |
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown |
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects unspecified malware sample Author: Florian Roth |
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group |
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects NetWire RAT Author: ditekSHen |
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown |
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects unspecified malware sample Author: Florian Roth |
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group |
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects NetWire RAT Author: ditekSHen |
Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown |
Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Detects unspecified malware sample Author: Florian Roth |
Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown |
Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown |
Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Detects unspecified malware sample Author: Florian Roth |
Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group |
Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR |
Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown |
Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR |
Matched rule: Detects unspecified malware sample Author: Florian Roth |
Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR |
Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group |
Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_00403861 |
0_2_00403861 |
Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_00405420 |
0_2_00405420 |
Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_00403497 |
0_2_00403497 |
Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_00403D10 |
0_2_00403D10 |
Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_00403190 |
0_2_00403190 |
Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_00402D90 |
0_2_00402D90 |
Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_0040BE80 |
0_2_0040BE80 |
Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_00402FCC |
0_2_00402FCC |
Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_004033D0 |
0_2_004033D0 |
Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_004113F0 |
0_2_004113F0 |
Source: 615.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23 |
Source: 615.exe, type: SAMPLE |
Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 615.exe, type: SAMPLE |
Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research |
Source: 615.exe, type: SAMPLE |
Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT |
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23 |
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research |
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT |
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23 |
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research |
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT |
Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23 |
Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research |
Source: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23 |
Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23 |
Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research |
Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR |
Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23 |
Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR |
Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR |
Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research |
Source: C:\Users\user\Desktop\615.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\615.exe |
Section loaded: netapi32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\615.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\615.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\615.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\615.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\615.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\615.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\615.exe |
Section loaded: napinsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\615.exe |
Section loaded: pnrpnsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\615.exe |
Section loaded: wshbth.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\615.exe |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\615.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\615.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\615.exe |
Section loaded: winrnr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\615.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\615.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\615.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_004074C0 SetErrorMode,FindFirstFileA,FindNextFileA,FileTimeToSystemTime,FindClose, |
0_2_004074C0 |
Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_004080E0 GetFileAttributesA,SetErrorMode,FindFirstFileA,FindNextFileA,FindClose, |
0_2_004080E0 |
Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_004078A0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose, |
0_2_004078A0 |
Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_004159E0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose, |
0_2_004159E0 |
Source: C:\Users\user\Desktop\615.exe |
Code function: 0_2_0040FA80 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,strlen, |
0_2_0040FA80 |
Source: Yara match |
File source: 615.exe, type: SAMPLE |
Source: Yara match |
File source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR |