Windows Analysis Report
615.exe

Overview

General Information

Sample name:	615.exe (renamed file extension from none to exe)
Original sample name:	615
Analysis ID:	1428502
MD5:	9874f93464760f8b7962945950ec67ae
SHA1:	033f9854890961f9b962d088de8e3e84b0fd4018
SHA256:	615ee113e8a5df5c2ec5367dc89837881783a0f53303e16bc2a6228d9ffa9a15
Infos:

Detection

NetWire

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: NetWire

Yara detected NetWire RAT

Yara detected Netwire RAT

Contains functionality to log keystrokes

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
NetWire RC, NetWire	Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.Keylog files are stored on the infected machine in an obfuscated form. The algorithm is: for i in range(0,num_read): buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF	APT33	http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/ http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 615.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Source: winsec.warii.club	Virustotal: Detection: 11%			Perma Link
Source: boa.eimaragon.org	Virustotal: Detection: 5%			Perma Link

Multi AV Scanner detection for submitted file

Source: 615.exe	ReversingLabs: Detection: 91%
Source: 615.exe	Virustotal: Detection: 75%			Perma Link

Machine Learning detection for sample

Source: 615.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_0040F090 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_0040F090
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_004101F0 CryptUnprotectData,LocalFree,	0_2_004101F0
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_0040DEC0 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,LocalFree,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,LocalFree,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,	0_2_0040DEC0

Uses 32bit PE files

Source: 615.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_004074C0 SetErrorMode,FindFirstFileA,FindNextFileA,FileTimeToSystemTime,FindClose,	0_2_004074C0
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_004080E0 GetFileAttributesA,SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	0_2_004080E0
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_004078A0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	0_2_004078A0
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_004159E0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	0_2_004159E0
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_0040FA80 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,strlen,	0_2_0040FA80

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_00407410 GetLogicalDriveStringsA,GetDriveTypeA,

0_2_00407410

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 103.224.212.210:3303

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 103.224.212.210 103.224.212.210

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_00407050 recv,WSAGetLastError,

0_2_00407050

Source: unknown

DNS traffic detected: queries for: winsec.warii.club

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_0040AE80 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,GetKeyState,

0_2_0040AE80

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_00413440 GetSystemMetrics,GetSystemMetrics,GetDesktopWindow,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteDC,DeleteObject,free,GetDIBits,calloc,GetDIBits,

0_2_00413440

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_0040AE80 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,GetKeyState,

0_2_0040AE80

Installs a raw input device (often for capturing keystrokes)

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_0040B199 DefWindowProcA,RegisterRawInputDevices,GetRawInputData,malloc,GetRawInputData,PostQuitMessage,

0_2_0040B199

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_0040AE80 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,GetKeyState,

0_2_0040AE80

System Summary

Malicious sample detected (through community Yara rule)

Source: 615.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 615.exe, type: SAMPLE	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 615.exe, type: SAMPLE	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 615.exe, type: SAMPLE	Matched rule: Detects NetWire RAT Author: ditekSHen
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NetWire RAT Author: ditekSHen
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NetWire RAT Author: ditekSHen
Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group

Detected potential crypto function

Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_00403861	0_2_00403861
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_00405420	0_2_00405420
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_00403497	0_2_00403497
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_00403D10	0_2_00403D10
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_00403190	0_2_00403190
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_00402D90	0_2_00402D90
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_0040BE80	0_2_0040BE80
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_00402FCC	0_2_00402FCC
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_004033D0	0_2_004033D0
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_004113F0	0_2_004113F0

Uses 32bit PE files

Source: 615.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Yara signature match

Source: 615.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 615.exe, type: SAMPLE	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 615.exe, type: SAMPLE	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 615.exe, type: SAMPLE	Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT
Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@6/1

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_00407130 SetErrorMode,GetLogicalDriveStringsA,GetDiskFreeSpaceExA,GetDriveTypeA,GetVolumeInformationA,

0_2_00407130

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_00402720 CreateToolhelp32Snapshot,Process32First,CloseHandle,Process32Next,

0_2_00402720

Source: C:\Users\user\Desktop\615.exe

Mutant created: \Sessions\1\BaseNamedObjects\-

Source: 615.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\615.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 615.exe	ReversingLabs: Detection: 91%
Source: 615.exe	Virustotal: Detection: 75%

Source: C:\Users\user\Desktop\615.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: rasadhlp.dll	Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_00409270 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,malloc,malloc,malloc,malloc,

0_2_00409270

PE file contains an invalid checksum

Source: 615.exe

Static PE information: real checksum: 0x24fd8 should be: 0x23ab4

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\615.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\615.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Desktop\615.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\615.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Users\user\Desktop\615.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\615.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\615.exe

API coverage: 4.0 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\615.exe TID: 7432

Thread sleep time: -750000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_004074C0 SetErrorMode,FindFirstFileA,FindNextFileA,FileTimeToSystemTime,FindClose,	0_2_004074C0
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_004080E0 GetFileAttributesA,SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	0_2_004080E0
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_004078A0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	0_2_004078A0
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_004159E0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	0_2_004159E0
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_0040FA80 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,strlen,	0_2_0040FA80

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_00407410 GetLogicalDriveStringsA,GetDriveTypeA,

0_2_00407410

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_00415150 GetVersionExA,GetSystemMetrics,GetVersionExA,GetSystemInfo,

0_2_00415150

Source: C:\Users\user\Desktop\615.exe

Thread delayed: delay time: 75000

Jump to behavior

Source: 615.exe, 00000000.00000002.2908644268.000000000069E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll::.

Source: C:\Users\user\Desktop\615.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\615.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\615.exe	API call chain: ExitProcess graph end node

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_00409270 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,malloc,malloc,malloc,malloc,

0_2_00409270

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_004138D0 keybd_event,

0_2_004138D0

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_00413900 SetCursorPos,mouse_event,mouse_event,mouse_event,

0_2_00413900

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_004090E9 GetSystemTime,

0_2_004090E9

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_00415150 GetVersionExA,GetSystemMetrics,GetVersionExA,GetSystemInfo,

0_2_00415150

Remote Access Functionality

Yara detected NetWire RAT

Source: Yara match	File source: 615.exe, type: SAMPLE
Source: Yara match	File source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR

Yara detected Netwire RAT

Source: Yara match	File source: 615.exe, type: SAMPLE
Source: Yara match	File source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.224.212.210	winsec.warii.club	Australia		133618	TRELLIAN-AS-APTrellianPtyLimitedAU	false

Contacted Domains

Name	IP	Active
winsec.warii.club	103.224.212.210	true
boa.eimaragon.org	unknown	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 615.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Source: winsec.warii.club	Virustotal: Detection: 11%			Perma Link
Source: boa.eimaragon.org	Virustotal: Detection: 5%			Perma Link

Multi AV Scanner detection for submitted file

Source: 615.exe	ReversingLabs: Detection: 91%
Source: 615.exe	Virustotal: Detection: 75%			Perma Link

Machine Learning detection for sample

Source: 615.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_0040F090 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_0040F090
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_004101F0 CryptUnprotectData,LocalFree,	0_2_004101F0
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_0040DEC0 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,LocalFree,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,LocalFree,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,	0_2_0040DEC0

Uses 32bit PE files

Source: 615.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_004074C0 SetErrorMode,FindFirstFileA,FindNextFileA,FileTimeToSystemTime,FindClose,	0_2_004074C0
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_004080E0 GetFileAttributesA,SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	0_2_004080E0
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_004078A0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	0_2_004078A0
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_004159E0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	0_2_004159E0
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_0040FA80 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,strlen,	0_2_0040FA80

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_00407410 GetLogicalDriveStringsA,GetDriveTypeA,

0_2_00407410

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 103.224.212.210:3303

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 103.224.212.210 103.224.212.210

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_00407050 recv,WSAGetLastError,

0_2_00407050

Source: unknown

DNS traffic detected: queries for: winsec.warii.club

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_0040AE80 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,GetKeyState,

0_2_0040AE80

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\615.exe

0_2_00413440

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_0040AE80 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,GetKeyState,

0_2_0040AE80

Installs a raw input device (often for capturing keystrokes)

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_0040B199 DefWindowProcA,RegisterRawInputDevices,GetRawInputData,malloc,GetRawInputData,PostQuitMessage,

0_2_0040B199

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_0040AE80 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,GetKeyState,

0_2_0040AE80

System Summary

Malicious sample detected (through community Yara rule)

Source: 615.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 615.exe, type: SAMPLE	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 615.exe, type: SAMPLE	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 615.exe, type: SAMPLE	Matched rule: Detects NetWire RAT Author: ditekSHen
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NetWire RAT Author: ditekSHen
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NetWire RAT Author: ditekSHen
Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group

Detected potential crypto function

Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_00403861	0_2_00403861
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_00405420	0_2_00405420
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_00403497	0_2_00403497
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_00403D10	0_2_00403D10
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_00403190	0_2_00403190
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_00402D90	0_2_00402D90
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_0040BE80	0_2_0040BE80
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_00402FCC	0_2_00402FCC
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_004033D0	0_2_004033D0
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_004113F0	0_2_004113F0

Uses 32bit PE files

Source: 615.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Yara signature match

Source: 615.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 615.exe, type: SAMPLE	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 615.exe, type: SAMPLE	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 615.exe, type: SAMPLE	Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT
Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@6/1

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_00407130 SetErrorMode,GetLogicalDriveStringsA,GetDiskFreeSpaceExA,GetDriveTypeA,GetVolumeInformationA,

0_2_00407130

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_00402720 CreateToolhelp32Snapshot,Process32First,CloseHandle,Process32Next,

0_2_00402720

Source: C:\Users\user\Desktop\615.exe

Mutant created: \Sessions\1\BaseNamedObjects\-

Source: 615.exe

Source: C:\Users\user\Desktop\615.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 615.exe	ReversingLabs: Detection: 91%
Source: 615.exe	Virustotal: Detection: 75%

Source: C:\Users\user\Desktop\615.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\615.exe	Section loaded: rasadhlp.dll	Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_00409270 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,malloc,malloc,malloc,malloc,

0_2_00409270

PE file contains an invalid checksum

Source: 615.exe

Static PE information: real checksum: 0x24fd8 should be: 0x23ab4

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\615.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\615.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Desktop\615.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\615.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Users\user\Desktop\615.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\615.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\615.exe

API coverage: 4.0 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\615.exe TID: 7432

Thread sleep time: -750000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_004074C0 SetErrorMode,FindFirstFileA,FindNextFileA,FileTimeToSystemTime,FindClose,	0_2_004074C0
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_004080E0 GetFileAttributesA,SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	0_2_004080E0
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_004078A0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	0_2_004078A0
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_004159E0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	0_2_004159E0
Source: C:\Users\user\Desktop\615.exe	Code function: 0_2_0040FA80 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,strlen,	0_2_0040FA80

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_00407410 GetLogicalDriveStringsA,GetDriveTypeA,

0_2_00407410

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_00415150 GetVersionExA,GetSystemMetrics,GetVersionExA,GetSystemInfo,

0_2_00415150

Source: C:\Users\user\Desktop\615.exe

Thread delayed: delay time: 75000

Jump to behavior

Source: 615.exe, 00000000.00000002.2908644268.000000000069E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll::.

Source: C:\Users\user\Desktop\615.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\615.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\615.exe	API call chain: ExitProcess graph end node

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_00409270 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,malloc,malloc,malloc,malloc,

0_2_00409270

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_004138D0 keybd_event,

0_2_004138D0

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_00413900 SetCursorPos,mouse_event,mouse_event,mouse_event,

0_2_00413900

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_004090E9 GetSystemTime,

0_2_004090E9

Source: C:\Users\user\Desktop\615.exe

Code function: 0_2_00415150 GetVersionExA,GetSystemMetrics,GetVersionExA,GetSystemInfo,

0_2_00415150

Remote Access Functionality

Yara detected NetWire RAT

Source: Yara match	File source: 615.exe, type: SAMPLE
Source: Yara match	File source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR

Yara detected Netwire RAT

Source: Yara match	File source: 615.exe, type: SAMPLE
Source: Yara match	File source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR

ID:	1428502
Product:	CloudBasic
Start time:	03:32:15
Start date:	19.04.2024
Sample:	615
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	9874f93464760f8b7962945950ec67ae
SHA1:	033f9854890961f9b962d088de8e3e84b0fd4018
SHA256:	615ee113e8a5df5c2ec5367dc89837881783a0f53303e16bc2a6228d9ffa9a15
Filetype:	Win32 Executable (generic) a (10002005/4) 99.94%

Windows Analysis Report
615.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report 615.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
615.exe

Malware Threat Intel
Provided by