Play interactive tour

Edit tour

Analysis Report 6c9e4dd7_by_Libranalysis

Overview

General Information

Sample Name:	6c9e4dd7_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:	398986
MD5:	6c9e4dd7daab40a2b40db3d13279ee2e
SHA1:	879eaa020afb3906709ffd8efe9dfcdd23399227
SHA256:	1dcddce0408092a22c015e183e463020a7231e1f5ca47e71acad4ddcfb0f2385
Infos:
Most interesting Screenshot:

Detection

NetWire

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NetWire

Yara detected NetWire RAT

C2 URLs / IPs found in malware configuration

Contains functionality to steal Chrome passwords or cookies

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has a writeable .text section

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains strange resources

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Startup

System is w10x64

6c9e4dd7_by_Libranalysis.exe (PID: 3752 cmdline: 'C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe' MD5: 6C9E4DD7DAAB40A2B40DB3D13279EE2E)

Host.exe (PID: 4036 cmdline: 'C:\Users\user\AppData\Roaming\Install\Host.exe' MD5: 6C9E4DD7DAAB40A2B40DB3D13279EE2E)

cleanup

Malware Configuration

Threatname: NetWire

{"C2 list": ["rootsec.publicvm.com:3361"], "Password": "123", "Host ID": "HostId-%Rand%", "Mutex": "-", "Install Path": "%AppData%\\Install\\Host.exe", "Startup Name": "-", "ActiveX Key": "-", "KeyLog Directory": "%AppData%\\Logs\\"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
6c9e4dd7_by_Libranalysis.exe	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Install\Host.exe	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.511119979.00000000007D0000.00000040.00000001.sdmp	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
00000001.00000002.259724809.00000000008E0000.00000040.00000001.sdmp	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
00000002.00000002.511293682.0000000000910000.00000040.00000001.sdmp	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
00000001.00000002.259743780.0000000000910000.00000004.00000040.sdmp	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
00000001.00000002.259762257.0000000002140000.00000040.00000001.sdmp	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
00000001.00000002.259762257.0000000002140000.00000040.00000001.sdmp	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x22580:$v1: HostId-%Rand%
Process Memory Space: Host.exe PID: 4036	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
Process Memory Space: 6c9e4dd7_by_Libranalysis.exe PID: 3752	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
Process Memory Space: 6c9e4dd7_by_Libranalysis.exe PID: 3752	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x180492:$v1: HostId-%Rand% 0x1804ad:$v1: HostId-%Rand%
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.Host.exe.910000.3.unpack	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
2.2.Host.exe.7d025e.2.raw.unpack	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
2.2.Host.exe.910000.3.raw.unpack	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.raw.unpack	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.raw.unpack	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x22580:$v1: HostId-%Rand%
1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.unpack	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.unpack	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x20f80:$v1: HostId-%Rand%
1.2.6c9e4dd7_by_Libranalysis.exe.8e025e.2.raw.unpack	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
Click to see the 3 entries

Sigma Overview

System Summary:

Sigma detected: NetWire

Show sources

Source: Registry Key set

Author: Joe Security: Data: Details: HostId-yaI6gm, EventID: 13, Image: C:\Users\user\AppData\Roaming\Install\Host.exe, ProcessId: 4036, TargetObject: HKEY_CURRENT_USER\Software\NetWire\HostId

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 2.2.Host.exe.7d025e.2.raw.unpack

Malware Configuration Extractor: NetWire {"C2 list": ["rootsec.publicvm.com:3361"], "Password": "123", "Host ID": "HostId-%Rand%", "Mutex": "-", "Install Path": "%AppData%\\Install\\Host.exe", "Startup Name": "-", "ActiveX Key": "-", "KeyLog Directory": "%AppData%\\Logs\\"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Virustotal: Detection: 19%			Perma Link
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	ReversingLabs: Detection: 19%

Multi AV Scanner detection for submitted file

Show sources

Source: 6c9e4dd7_by_Libranalysis.exe	Virustotal: Detection: 19%			Perma Link
Source: 6c9e4dd7_by_Libranalysis.exe	ReversingLabs: Detection: 19%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Install\Host.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: 6c9e4dd7_by_Libranalysis.exe

Joe Sandbox ML: detected

Source: 2.2.Host.exe.910000.3.unpack	Avira: Label: TR/Spy.Gen
Source: 1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.unpack	Avira: Label: TR/Spy.Gen
Source: 1.2.6c9e4dd7_by_Libranalysis.exe.8e025e.2.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Unpacked PE file: 1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.unpack
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Unpacked PE file: 2.2.Host.exe.910000.3.unpack

Source: 6c9e4dd7_by_Libranalysis.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 6c9e4dd7_by_Libranalysis.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: Journal.pdbL source: 6c9e4dd7_by_Libranalysis.exe
Source:	Binary string: Journal.pdb source: 6c9e4dd7_by_Libranalysis.exe

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_0048F1FF __EH_prolog3_GS,memset,lstrlenW,lstrlenW,lstrlenW,PathAddBackslashW,FindFirstFileW,memset,PathAddBackslashW,FindNextFileW,GetLastError,FindClose,GetLastError,		1_2_0048F1FF
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_0048EB15 memset,memset,lstrlenW,lstrlenW,lstrlenW,PathAddBackslashW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,		1_2_0048EB15

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: rootsec.publicvm.com:3361

Source: unknown

DNS traffic detected: queries for: rootsec.publicvm.com

Source: Host.exe	String found in binary or memory: http://www.yandex.com
Source: 6c9e4dd7_by_Libranalysis.exe	String found in binary or memory: http://www.yandex.comsocks=
Source: Host.exe, 00000002.00000002.511293682.0000000000910000.00000040.00000001.sdmp	String found in binary or memory: http://www.yandex.comsocks=L

Source: Host.exe, 00000002.00000002.511322936.000000000093B000.00000040.00000001.sdmp

Binary or memory string: GetRawInputData

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000002.259762257.0000000002140000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: 6c9e4dd7_by_Libranalysis.exe PID: 3752, type: MEMORY	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.unpack, type: UNPACKEDPE	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group

PE file has a writeable .text section

Show sources

Source: 6c9e4dd7_by_Libranalysis.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Host.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_00427690	1_2_00427690
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_004B069F	1_2_004B069F
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_00435E97	1_2_00435E97
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_009134D3	2_2_009134D3
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_009308C0	2_2_009308C0
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_00930420	2_2_00930420
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_00913047	2_2_00913047
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_0092D049	2_2_0092D049
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_00925079	2_2_00925079
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_00929463	2_2_00929463
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_00924976	2_2_00924976
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_00925ABF	2_2_00925ABF
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_0091AEC6	2_2_0091AEC6
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_00912AFC	2_2_00912AFC
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_00926619	2_2_00926619
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_00912E68	2_2_00912E68
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_0091A728	2_2_0091A728
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_0092FF50	2_2_0092FF50
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_00930F40	2_2_00930F40

Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: String function: 009181AA appears 110 times
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: String function: 0092F724 appears 31 times
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: String function: 004AEBD4 appears 885 times
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: String function: 004BF800 appears 121 times
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: String function: 004BF7C8 appears 400 times

Source: 6c9e4dd7_by_Libranalysis.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6c9e4dd7_by_Libranalysis.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6c9e4dd7_by_Libranalysis.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6c9e4dd7_by_Libranalysis.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6c9e4dd7_by_Libranalysis.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6c9e4dd7_by_Libranalysis.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6c9e4dd7_by_Libranalysis.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6c9e4dd7_by_Libranalysis.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6c9e4dd7_by_Libranalysis.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6c9e4dd7_by_Libranalysis.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6c9e4dd7_by_Libranalysis.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Host.exe.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Host.exe.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Host.exe.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Host.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Host.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Host.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Host.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Host.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Host.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Host.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Host.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 6c9e4dd7_by_Libranalysis.exe	Binary or memory string: OriginalFilename vs 6c9e4dd7_by_Libranalysis.exe
Source: 6c9e4dd7_by_Libranalysis.exe, 00000001.00000000.241605490.00000000004D8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameJournal.exej% vs 6c9e4dd7_by_Libranalysis.exe
Source: 6c9e4dd7_by_Libranalysis.exe, 00000001.00000002.260301152.0000000002610000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 6c9e4dd7_by_Libranalysis.exe
Source: 6c9e4dd7_by_Libranalysis.exe, 00000001.00000002.260301152.0000000002610000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 6c9e4dd7_by_Libranalysis.exe
Source: 6c9e4dd7_by_Libranalysis.exe, 00000001.00000002.259800471.00000000021C0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 6c9e4dd7_by_Libranalysis.exe
Source: 6c9e4dd7_by_Libranalysis.exe	Binary or memory string: OriginalFilenameJournal.exej% vs 6c9e4dd7_by_Libranalysis.exe

Source: 6c9e4dd7_by_Libranalysis.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000001.00000002.259762257.0000000002140000.00000040.00000001.sdmp, type: MEMORY	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: 6c9e4dd7_by_Libranalysis.exe PID: 3752, type: MEMORY	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.raw.unpack, type: UNPACKEDPE	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.unpack, type: UNPACKEDPE	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@6/1

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe

Code function: 1_2_004AE03F __EH_prolog3_GS,CoCreateInstance,memset,#6928,

1_2_004AE03F

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe

Code function: 1_2_0042ACE6 __EH_prolog3,memset,#1165,#1165,#1165,LockResource,#540,#4155,#861,#800,

1_2_0042ACE6

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe

File created: C:\Users\user\AppData\Roaming\Install

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Install\Host.exe

Mutant created: \Sessions\1\BaseNamedObjects\-

Source: 6c9e4dd7_by_Libranalysis.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Install\Host.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 6c9e4dd7_by_Libranalysis.exe	Virustotal: Detection: 19%
Source: 6c9e4dd7_by_Libranalysis.exe	ReversingLabs: Detection: 19%

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe

File read: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe 'C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe'
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Process created: C:\Users\user\AppData\Roaming\Install\Host.exe 'C:\Users\user\AppData\Roaming\Install\Host.exe'
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Process created: C:\Users\user\AppData\Roaming\Install\Host.exe 'C:\Users\user\AppData\Roaming\Install\Host.exe'	Jump to behavior

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: 6c9e4dd7_by_Libranalysis.exe

Static file information: File size 2019840 > 1048576

Source: 6c9e4dd7_by_Libranalysis.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 6c9e4dd7_by_Libranalysis.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 6c9e4dd7_by_Libranalysis.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 6c9e4dd7_by_Libranalysis.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 6c9e4dd7_by_Libranalysis.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 6c9e4dd7_by_Libranalysis.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 6c9e4dd7_by_Libranalysis.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: 6c9e4dd7_by_Libranalysis.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Journal.pdbL source: 6c9e4dd7_by_Libranalysis.exe
Source:	Binary string: Journal.pdb source: 6c9e4dd7_by_Libranalysis.exe

Data Obfuscation:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Unpacked PE file: 1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.unpack
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Unpacked PE file: 2.2.Host.exe.910000.3.unpack

Source: Host.exe.1.dr	Static PE information: real checksum: 0x1f534c should be: 0x1f5426
Source: 6c9e4dd7_by_Libranalysis.exe	Static PE information: real checksum: 0x1f534c should be: 0x1f5426

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_004BF4F1 push ecx; ret	1_2_004BF504
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_00919E61 push eax; mov dword ptr [esp], ebx	2_2_00919FDE
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_0091A4BC push esi; mov dword ptr [esp], 00933347h	2_2_0091A543
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_0091DCE9 push ecx; mov dword ptr [esp], 00933976h	2_2_0091DD9F
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_0091DCE9 push ebp; mov dword ptr [esp], 0093398Ah	2_2_0091DDD9
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_0091DCE9 push edx; mov dword ptr [esp], 00933997h	2_2_0091DDF7
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_0091DCE9 push edx; mov dword ptr [esp], esi	2_2_0091E394
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_00932449 push edi; retf	2_2_0093244B
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_00921D8C push edx; mov dword ptr [esp], edi	2_2_00922058
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_00919953 push edi; mov dword ptr [esp], 00000091h	2_2_00919980
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_00919953 push ebp; mov dword ptr [esp], 00000090h	2_2_0091998D
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_009246E1 push eax; mov dword ptr [esp], ebx	2_2_0092470B
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_00916E04 push ecx; mov dword ptr [esp], ebx	2_2_00916E69
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_0091262F push edx; mov dword ptr [esp], edi	2_2_009127C8
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_0091262F push edx; mov dword ptr [esp], edi	2_2_00912815
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_0091262F push edx; mov dword ptr [esp], edi	2_2_009129B2
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: 2_2_0091970C push eax; mov dword ptr [esp], 0093B4A0h	2_2_009197B9

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe

File created: C:\Users\user\AppData\Roaming\Install\Host.exe

Jump to dropped file

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_00440840 __EH_prolog3_GS,#1165,#1165,IsIconic,#1165,#1165,#1165,		1_2_00440840
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_004328A6 __EH_prolog3_GS,MonitorFromWindow,GetMonitorInfoW,SHAppBarMessage,SHAppBarMessage,SetRectEmpty,SHAppBarMessage,CopyRect,#3916,memset,IsIconic,#6191,IsZoomed,#6191,#6211,#4294,		1_2_004328A6

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe

Code function: 1_2_004B069F rdtsc

1_2_004B069F

Source: C:\Users\user\AppData\Roaming\Install\Host.exe TID: 644

Thread sleep time: -375000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_00465374 GetKeyboardLayout followed by cmp: cmp cx, ax and CTI: jne 0046554Ch		1_2_00465374
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_00465374 GetKeyboardLayout followed by cmp: cmp cx, ax and CTI: je 0046554Ch		1_2_00465374

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe

Code function: 1_2_00485EDE GetLocalTime followed by cmp: cmp ebx, 10h and CTI: jnc 00485FD2h

1_2_00485EDE

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_0048F1FF __EH_prolog3_GS,memset,lstrlenW,lstrlenW,lstrlenW,PathAddBackslashW,FindFirstFileW,memset,PathAddBackslashW,FindNextFileW,GetLastError,FindClose,GetLastError,		1_2_0048F1FF
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_0048EB15 memset,memset,lstrlenW,lstrlenW,lstrlenW,PathAddBackslashW,FindFirstFileW,FindNextFileW,GetLastError,FindClose,		1_2_0048EB15

Source: C:\Users\user\AppData\Roaming\Install\Host.exe

Thread delayed: delay time: 75000

Jump to behavior

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe

Code function: 1_2_004B069F rdtsc

1_2_004B069F

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_004B81C1 mov ebx, dword ptr fs:[00000030h]	1_2_004B81C1
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_004BDB47 mov eax, dword ptr fs:[00000030h]	1_2_004BDB47
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_00440BC5 mov eax, dword ptr fs:[00000030h]	1_2_00440BC5
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_00440BC5 mov eax, dword ptr fs:[00000030h]	1_2_00440BC5
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_004B069F mov eax, dword ptr fs:[00000030h]	1_2_004B069F
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_004B069F mov eax, dword ptr fs:[00000030h]	1_2_004B069F
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_004B069F mov eax, dword ptr fs:[00000030h]	1_2_004B069F
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_004B069F mov eax, dword ptr fs:[00000030h]	1_2_004B069F
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_00435E97 mov eax, dword ptr fs:[00000030h]	1_2_00435E97
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_00435E97 mov eax, dword ptr fs:[00000030h]	1_2_00435E97
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_00435E97 mov eax, dword ptr fs:[00000030h]	1_2_00435E97
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: 1_2_00435E97 mov eax, dword ptr fs:[00000030h]	1_2_00435E97

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe

Code function: 1_2_0047DA73 #1165,GlobalLock,GlobalLock,GlobalLock,GetProcessHeap,HeapAlloc,memcpy,GlobalUnlock,GlobalUnlock,

1_2_0047DA73

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe

Code function: 1_2_004BED37 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_004BED37

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe

Process created: C:\Users\user\AppData\Roaming\Install\Host.exe 'C:\Users\user\AppData\Roaming\Install\Host.exe'

Jump to behavior

Source: Host.exe, 00000002.00000002.511406065.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Host.exe, 00000002.00000002.511406065.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Host.exe, 00000002.00000002.511406065.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: Host.exe, 00000002.00000002.511406065.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: Host.exe, 00000002.00000002.511406065.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: __EH_prolog3_GS,#567,GetLocaleInfoW,_wtoi,#1165,CoCreateInstance,#30,SysAllocStringLen,#1165,#1165,SysStringLen,SysFreeString,#1008,#1008,#1008,#1008,		1_2_00466E2B
Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe	Code function: __EH_prolog3_GS,memcpy,GetLocalTime,GetLocaleInfoW,		1_2_00485EDE

Source: C:\Users\user\Desktop\6c9e4dd7_by_Libranalysis.exe

Code function: 1_2_004BF3D8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

1_2_004BF3D8

Stealing of Sensitive Information:

Contains functionality to steal Chrome passwords or cookies

Show sources

Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: %s\Google\Chrome\User Data\Default\Login Data		2_2_0091F281
Source: C:\Users\user\AppData\Roaming\Install\Host.exe	Code function: %s\Chromium\User Data\Default\Login Data		2_2_0091F382

Remote Access Functionality:

Yara detected NetWire RAT

Show sources

Source: Yara match	File source: 6c9e4dd7_by_Libranalysis.exe, type: SAMPLE
Source: Yara match	File source: 00000002.00000002.511119979.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.259724809.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.511293682.0000000000910000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.259743780.0000000000910000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.259762257.0000000002140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Host.exe PID: 4036, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6c9e4dd7_by_Libranalysis.exe PID: 3752, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Install\Host.exe, type: DROPPED
Source: Yara match	File source: 2.2.Host.exe.910000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Host.exe.7d025e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Host.exe.910000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.6c9e4dd7_by_Libranalysis.exe.2140000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.6c9e4dd7_by_Libranalysis.exe.8e025e.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping1	System Time Discovery11	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion21	Input Capture11	Query Registry1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Credentials In Files1	Security Software Discovery13	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol11	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Virtualization/Sandbox Evasion21	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing11	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	File and Directory Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery22	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 6c9e4dd7_by_Libranalysis

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NetWire

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph