Loading ...

Play interactive tourEdit tour

Analysis Report 6c9e4dd7_by_Libranalysis

Overview

General Information

Sample Name:6c9e4dd7_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:398986
MD5:6c9e4dd7daab40a2b40db3d13279ee2e
SHA1:879eaa020afb3906709ffd8efe9dfcdd23399227
SHA256:1dcddce0408092a22c015e183e463020a7231e1f5ca47e71acad4ddcfb0f2385
Infos:

Most interesting Screenshot:

Detection

NetWire
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Yara detected NetWire RAT
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has a writeable .text section
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • 6c9e4dd7_by_Libranalysis.exe (PID: 3752 cmdline: 'C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe' MD5: 6C9E4DD7DAAB40A2B40DB3D13279EE2E)
    • Host.exe (PID: 4036 cmdline: 'C:\Users\user\AppData\Roaming\Install\Host.exe' MD5: 6C9E4DD7DAAB40A2B40DB3D13279EE2E)
  • cleanup

Malware Configuration

Threatname: NetWire

{"C2 list": ["rootsec.publicvm.com:3361"], "Password": "123", "Host ID": "HostId-%Rand%", "Mutex": "-", "Install Path": "%AppData%\\Install\\Host.exe", "Startup Name": "-", "ActiveX Key": "-", "KeyLog Directory": "%AppData%\\Logs\\"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
6c9e4dd7_by_Libranalysis.exeJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Install\Host.exeJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000002.511119979.00000000007D0000.00000040.00000001.sdmpJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
        00000001.00000002.259724809.00000000008E0000.00000040.00000001.sdmpJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
          00000002.00000002.511293682.0000000000910000.00000040.00000001.sdmpJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
            00000001.00000002.259743780.0000000000910000.00000004.00000040.sdmpJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
              00000001.00000002.259762257.0000000002140000.00000040.00000001.sdmpJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
                Click to see the 4 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                2.2.Host.exe.910000.3.unpackJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
                  2.2.Host.exe.7d025e.2.raw.unpackJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
                    2.2.Host.exe.910000.3.raw.unpackJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
                      1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.raw.unpackJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
                        1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.raw.unpacknetwiredetect netwire in memoryJPCERT/CC Incident Response Group
                        • 0x22580:$v1: HostId-%Rand%
                        Click to see the 3 entries

                        Sigma Overview

                        System Summary:

                        barindex
                        Sigma detected: NetWireShow sources
                        Source: Registry Key setAuthor: Joe Security: Data: Details: HostId-yaI6gm, EventID: 13, Image: C:\Users\user\AppData\Roaming\Install\Host.exe, ProcessId: 4036, TargetObject: HKEY_CURRENT_USER\Software\NetWire\HostId

                        Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Found malware configurationShow sources
                        Source: 2.2.Host.exe.7d025e.2.raw.unpackMalware Configuration Extractor: NetWire {"C2 list": ["rootsec.publicvm.com:3361"], "Password": "123", "Host ID": "HostId-%Rand%", "Mutex": "-", "Install Path": "%AppData%\\Install\\Host.exe", "Startup Name": "-", "ActiveX Key": "-", "KeyLog Directory": "%AppData%\\Logs\\"}
                        Multi AV Scanner detection for dropped fileShow sources
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeVirustotal: Detection: 19%Perma Link
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeReversingLabs: Detection: 19%
                        Multi AV Scanner detection for submitted fileShow sources
                        Source: 6c9e4dd7_by_Libranalysis.exeVirustotal: Detection: 19%Perma Link
                        Source: 6c9e4dd7_by_Libranalysis.exeReversingLabs: Detection: 19%
                        Machine Learning detection for dropped fileShow sources
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeJoe Sandbox ML: detected
                        Machine Learning detection for sampleShow sources
                        Source: 6c9e4dd7_by_Libranalysis.exeJoe Sandbox ML: detected
                        Source: 2.2.Host.exe.910000.3.unpackAvira: Label: TR/Spy.Gen
                        Source: 1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.unpackAvira: Label: TR/Spy.Gen
                        Source: 1.2.6c9e4dd7_by_Libranalysis.exe.8e025e.2.unpackAvira: Label: TR/Patched.Ren.Gen

                        Compliance:

                        barindex
                        Detected unpacking (creates a PE file in dynamic memory)Show sources
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeUnpacked PE file: 1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.unpack
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeUnpacked PE file: 2.2.Host.exe.910000.3.unpack
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: Binary string: Journal.pdbL source: 6c9e4dd7_by_Libranalysis.exe
                        Source: Binary string: Journal.pdb source: 6c9e4dd7_by_Libranalysis.exe
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_0048F1FF __EH_prolog3_GS,memset,lstrlenW,lstrlenW,lstrlenW,PathAddBackslashW,FindFirstFileW,memset,PathAddBackslashW,FindNextFileW,GetLastError,FindClose,GetLastError,1_2_0048F1FF
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_0048EB15 memset,memset,lstrlenW,lstrlenW,lstrlenW,PathAddBackslashW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,1_2_0048EB15

                        Networking:

                        barindex
                        C2 URLs / IPs found in malware configurationShow sources
                        Source: Malware configuration extractorURLs: rootsec.publicvm.com:3361
                        Source: unknownDNS traffic detected: queries for: rootsec.publicvm.com
                        Source: Host.exeString found in binary or memory: http://www.yandex.com
                        Source: 6c9e4dd7_by_Libranalysis.exeString found in binary or memory: http://www.yandex.comsocks=
                        Source: Host.exe, 00000002.00000002.511293682.0000000000910000.00000040.00000001.sdmpString found in binary or memory: http://www.yandex.comsocks=L
                        Source: Host.exe, 00000002.00000002.511322936.000000000093B000.00000040.00000001.sdmpBinary or memory string: GetRawInputData

                        System Summary:

                        barindex
                        Malicious sample detected (through community Yara rule)Show sources
                        Source: 00000001.00000002.259762257.0000000002140000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
                        Source: Process Memory Space: 6c9e4dd7_by_Libranalysis.exe PID: 3752, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
                        Source: 1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
                        Source: 1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
                        PE file has a writeable .text sectionShow sources
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: Host.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_004276901_2_00427690
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_004B069F1_2_004B069F
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_00435E971_2_00435E97
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_009134D32_2_009134D3
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_009308C02_2_009308C0
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_009304202_2_00930420
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_009130472_2_00913047
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_0092D0492_2_0092D049
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_009250792_2_00925079
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_009294632_2_00929463
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_009249762_2_00924976
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_00925ABF2_2_00925ABF
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_0091AEC62_2_0091AEC6
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_00912AFC2_2_00912AFC
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_009266192_2_00926619
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_00912E682_2_00912E68
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_0091A7282_2_0091A728
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_0092FF502_2_0092FF50
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_00930F402_2_00930F40
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: String function: 009181AA appears 110 times
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: String function: 0092F724 appears 31 times
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: String function: 004AEBD4 appears 885 times
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: String function: 004BF800 appears 121 times
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: String function: 004BF7C8 appears 400 times
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: Host.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                        Source: Host.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                        Source: Host.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                        Source: Host.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: Host.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: Host.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: Host.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: Host.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: Host.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: Host.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: Host.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: 6c9e4dd7_by_Libranalysis.exeBinary or memory string: OriginalFilename vs 6c9e4dd7_by_Libranalysis.exe
                        Source: 6c9e4dd7_by_Libranalysis.exe, 00000001.00000000.241605490.00000000004D8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameJournal.exej% vs 6c9e4dd7_by_Libranalysis.exe
                        Source: 6c9e4dd7_by_Libranalysis.exe, 00000001.00000002.260301152.0000000002610000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 6c9e4dd7_by_Libranalysis.exe
                        Source: 6c9e4dd7_by_Libranalysis.exe, 00000001.00000002.260301152.0000000002610000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 6c9e4dd7_by_Libranalysis.exe
                        Source: 6c9e4dd7_by_Libranalysis.exe, 00000001.00000002.259800471.00000000021C0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 6c9e4dd7_by_Libranalysis.exe
                        Source: 6c9e4dd7_by_Libranalysis.exeBinary or memory string: OriginalFilenameJournal.exej% vs 6c9e4dd7_by_Libranalysis.exe
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                        Source: 00000001.00000002.259762257.0000000002140000.00000040.00000001.sdmp, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
                        Source: Process Memory Space: 6c9e4dd7_by_Libranalysis.exe PID: 3752, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
                        Source: 1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.raw.unpack, type: UNPACKEDPEMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
                        Source: 1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.unpack, type: UNPACKEDPEMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@6/1
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_004AE03F __EH_prolog3_GS,CoCreateInstance,memset,#6928,1_2_004AE03F
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_0042ACE6 __EH_prolog3,memset,#1165,#1165,#1165,LockResource,#540,#4155,#861,#800,1_2_0042ACE6
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeFile created: C:\Users\user\AppData\Roaming\InstallJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeMutant created: \Sessions\1\BaseNamedObjects\-
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: 6c9e4dd7_by_Libranalysis.exeVirustotal: Detection: 19%
                        Source: 6c9e4dd7_by_Libranalysis.exeReversingLabs: Detection: 19%
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeFile read: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe 'C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe'
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe 'C:\Users\user\AppData\Roaming\Install\Host.exe'
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe 'C:\Users\user\AppData\Roaming\Install\Host.exe' Jump to behavior
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic file information: File size 2019840 > 1048576
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: Journal.pdbL source: 6c9e4dd7_by_Libranalysis.exe
                        Source: Binary string: Journal.pdb source: 6c9e4dd7_by_Libranalysis.exe

                        Data Obfuscation:

                        barindex
                        Detected unpacking (creates a PE file in dynamic memory)Show sources
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeUnpacked PE file: 1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.unpack
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeUnpacked PE file: 2.2.Host.exe.910000.3.unpack
                        Source: Host.exe.1.drStatic PE information: real checksum: 0x1f534c should be: 0x1f5426
                        Source: 6c9e4dd7_by_Libranalysis.exeStatic PE information: real checksum: 0x1f534c should be: 0x1f5426
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_004BF4F1 push ecx; ret 1_2_004BF504
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_00919E61 push eax; mov dword ptr [esp], ebx2_2_00919FDE
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_0091A4BC push esi; mov dword ptr [esp], 00933347h2_2_0091A543
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_0091DCE9 push ecx; mov dword ptr [esp], 00933976h2_2_0091DD9F
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_0091DCE9 push ebp; mov dword ptr [esp], 0093398Ah2_2_0091DDD9
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_0091DCE9 push edx; mov dword ptr [esp], 00933997h2_2_0091DDF7
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_0091DCE9 push edx; mov dword ptr [esp], esi2_2_0091E394
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_00932449 push edi; retf 2_2_0093244B
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_00921D8C push edx; mov dword ptr [esp], edi2_2_00922058
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_00919953 push edi; mov dword ptr [esp], 00000091h2_2_00919980
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_00919953 push ebp; mov dword ptr [esp], 00000090h2_2_0091998D
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_009246E1 push eax; mov dword ptr [esp], ebx2_2_0092470B
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_00916E04 push ecx; mov dword ptr [esp], ebx2_2_00916E69
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_0091262F push edx; mov dword ptr [esp], edi2_2_009127C8
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_0091262F push edx; mov dword ptr [esp], edi2_2_00912815
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_0091262F push edx; mov dword ptr [esp], edi2_2_009129B2
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 2_2_0091970C push eax; mov dword ptr [esp], 0093B4A0h2_2_009197B9
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeFile created: C:\Users\user\AppData\Roaming\Install\Host.exeJump to dropped file
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_00440840 __EH_prolog3_GS,#1165,#1165,IsIconic,#1165,#1165,#1165,1_2_00440840
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_004328A6 __EH_prolog3_GS,MonitorFromWindow,GetMonitorInfoW,SHAppBarMessage,SHAppBarMessage,SetRectEmpty,SHAppBarMessage,CopyRect,#3916,memset,IsIconic,#6191,IsZoomed,#6191,#6211,#4294,1_2_004328A6
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_004B069F rdtsc 1_2_004B069F
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exe TID: 644Thread sleep time: -375000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_00465374 GetKeyboardLayout followed by cmp: cmp cx, ax and CTI: jne 0046554Ch1_2_00465374
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_00465374 GetKeyboardLayout followed by cmp: cmp cx, ax and CTI: je 0046554Ch1_2_00465374
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_00485EDE GetLocalTime followed by cmp: cmp ebx, 10h and CTI: jnc 00485FD2h1_2_00485EDE
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_0048F1FF __EH_prolog3_GS,memset,lstrlenW,lstrlenW,lstrlenW,PathAddBackslashW,FindFirstFileW,memset,PathAddBackslashW,FindNextFileW,GetLastError,FindClose,GetLastError,1_2_0048F1FF
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_0048EB15 memset,memset,lstrlenW,lstrlenW,lstrlenW,PathAddBackslashW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,1_2_0048EB15
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeThread delayed: delay time: 75000Jump to behavior
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_004B069F rdtsc 1_2_004B069F
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_004B81C1 mov ebx, dword ptr fs:[00000030h]1_2_004B81C1
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_004BDB47 mov eax, dword ptr fs:[00000030h]1_2_004BDB47
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_00440BC5 mov eax, dword ptr fs:[00000030h]1_2_00440BC5
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_00440BC5 mov eax, dword ptr fs:[00000030h]1_2_00440BC5
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_004B069F mov eax, dword ptr fs:[00000030h]1_2_004B069F
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_004B069F mov eax, dword ptr fs:[00000030h]1_2_004B069F
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_004B069F mov eax, dword ptr fs:[00000030h]1_2_004B069F
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_004B069F mov eax, dword ptr fs:[00000030h]1_2_004B069F
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_00435E97 mov eax, dword ptr fs:[00000030h]1_2_00435E97
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_00435E97 mov eax, dword ptr fs:[00000030h]1_2_00435E97
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_00435E97 mov eax, dword ptr fs:[00000030h]1_2_00435E97
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_00435E97 mov eax, dword ptr fs:[00000030h]1_2_00435E97
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_0047DA73 #1165,GlobalLock,GlobalLock,GlobalLock,GetProcessHeap,HeapAlloc,memcpy,GlobalUnlock,GlobalUnlock,1_2_0047DA73
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_004BED37 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_004BED37
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe 'C:\Users\user\AppData\Roaming\Install\Host.exe' Jump to behavior
                        Source: Host.exe, 00000002.00000002.511406065.0000000000DC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                        Source: Host.exe, 00000002.00000002.511406065.0000000000DC0000.00000002.00000001.sdmpBinary or memory string: Progman
                        Source: Host.exe, 00000002.00000002.511406065.0000000000DC0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                        Source: Host.exe, 00000002.00000002.511406065.0000000000DC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                        Source: Host.exe, 00000002.00000002.511406065.0000000000DC0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: __EH_prolog3_GS,#567,GetLocaleInfoW,_wtoi,#1165,CoCreateInstance,#30,SysAllocStringLen,#1165,#1165,SysStringLen,SysFreeString,#1008,#1008,#1008,#1008,1_2_00466E2B
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: __EH_prolog3_GS,memcpy,GetLocalTime,GetLocaleInfoW,1_2_00485EDE
                        Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exeCode function: 1_2_004BF3D8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,1_2_004BF3D8

                        Stealing of Sensitive Information:

                        barindex
                        Contains functionality to steal Chrome passwords or cookiesShow sources
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: %s\Google\Chrome\User Data\Default\Login Data2_2_0091F281
                        Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: %s\Chromium\User Data\Default\Login Data2_2_0091F382

                        Remote Access Functionality:

                        barindex
                        Yara detected NetWire RATShow sources
                        Source: Yara matchFile source: 6c9e4dd7_by_Libranalysis.exe, type: SAMPLE
                        Source: Yara matchFile source: 00000002.00000002.511119979.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.259724809.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.511293682.0000000000910000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.259743780.0000000000910000.00000004.00000040.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.259762257.0000000002140000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Host.exe PID: 4036, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 6c9e4dd7_by_Libranalysis.exe PID: 3752, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Install\Host.exe, type: DROPPED
                        Source: Yara matchFile source: 2.2.Host.exe.910000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.Host.exe.7d025e.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.Host.exe.910000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.6c9e4dd7_by_Libranalysis.exe.8e025e.2.raw.unpack, type: UNPACKEDPE

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Masquerading1OS Credential Dumping1System Time Discovery11Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion21Input Capture11Query Registry1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Credentials In Files1Security Software Discovery13SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsVirtualization/Sandbox Evasion21SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery22Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java