Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\615.exe

"C:\Users\user\Desktop\615.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7428
Target ID:	0
Parent PID:	2580
Name:	615.exe
Path:	C:\Users\user\Desktop\615.exe
Commandline:	"C:\Users\user\Desktop\615.exe"
Size:	109056
MD5:	9874F93464760F8B7962945950EC67AE
Time:	03:33:05
Date:	19/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	151552
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: NetWire	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected NetWire RAT	Remote Access Functionality
Yara detected Netwire RAT	Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file contains an invalid checksum	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary

Domains

Name

Malicious

boa.eimaragon.org

unknown

winsec.warii.club

103.224.212.210

Details

Name:	winsec.warii.club
IP:	103.224.212.210
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

103.224.212.210

winsec.warii.club

Australia

Details

IP:	103.224.212.210
TargetID:	0
Current Path:	C:\Users\user\Desktop\615.exe
Country:	Australia
Countrycode:	AUS
ASN number:	133618
ASN name:	TRELLIAN-AS-APTrellianPtyLimitedAU
Private:	false
Domain:	winsec.warii.club

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\NetWire

HostId

HKEY_CURRENT_USER\SOFTWARE\NetWire

Install Date

Memdumps

Base Address

Regiontype

Protect

Malicious

417000

unkown

page write copy

417000

unkown

page read and write

6DC000

heap

page read and write

9C000

stack

page read and write

41D000

unkown

page read and write

422000

unkown

page read and write

2E0F000

stack

page read and write

6D5000

heap

page read and write

424000

unkown

page readonly

400000

unkown

page readonly

690000

heap

page read and write

69E000

heap

page read and write

1D0000

heap

page read and write

320E000

stack

page read and write

401000

unkown

page execute read

424000

unkown

page readonly

6C9000

heap

page read and write

401000

unkown

page execute read

D0C000

stack

page read and write

423000

unkown

page write copy

5FC000

stack

page read and write

D20000

heap

page read and write

698000

heap

page read and write

6B8000

heap

page read and write

33C0000

heap

page read and write

1E0000

heap

page read and write

670000

heap

page read and write

C8E000

stack

page read and write

F0000

heap

page read and write

422000

unkown

page write copy

418000

unkown

page write copy

400000

unkown

page readonly

62D000

stack

page read and write

1E5000

heap

page read and write

There are 24 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
615

Processes

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report615

Processes

Domains

IPs

Registry

Memdumps

IOC Report
615