Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO 059420.exe

Overview

General Information

Sample Name:PO 059420.exe
Analysis ID:715096
MD5:139deb18239c1db30775b256717b91a6
SHA1:3539a4b24d8f5b601d99a2239f5f18e17cd5fb04
SHA256:5f2a513bb02d1432e658ac0d65327d0ed56f6a4f1e014de8e4ff50fcf738ca93
Tags:exeJustClickAm-com
Infos:

Detection

NetWire
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected NetWire RAT
Sigma detected: Scheduled temp file as task from temp location
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • PO 059420.exe (PID: 4600 cmdline: C:\Users\user\Desktop\PO 059420.exe MD5: 139DEB18239C1DB30775B256717B91A6)
    • schtasks.exe (PID: 6136 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmpFCF6.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • PO 059420.exe (PID: 1916 cmdline: {path} MD5: 139DEB18239C1DB30775B256717B91A6)
      • Host.exe (PID: 5188 cmdline: "C:\Users\user\AppData\Roaming\Install\Host.exe" MD5: 139DEB18239C1DB30775B256717B91A6)
        • schtasks.exe (PID: 4756 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmp46B4.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 5556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • Host.exe (PID: 4140 cmdline: {path} MD5: 139DEB18239C1DB30775B256717B91A6)
        • MpCmdRun.exe (PID: 4756 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
          • conhost.exe (PID: 5188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
{"C2 list": ["37.0.14.206:3384"], "Password": "Password234", "Host ID": "HostId-%Rand%", "Mutex": "-", "Install Path": "-", "Startup Name": "-", "ActiveX Key": "-"}
SourceRuleDescriptionAuthorStrings
00000003.00000002.323599749.000000000041B000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
    00000003.00000002.323643134.0000000000423000.00000040.00000400.00020000.00000000.sdmpnetwiredetect netwire in memoryJPCERT/CC Incident Response Group
    • 0x3cc:$v1: HostId-%Rand%
    00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
      00000000.00000002.324385254.0000000002F91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
        00000003.00000000.319873179.000000000041B000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
          Click to see the 11 entries
          SourceRuleDescriptionAuthorStrings
          0.2.PO 059420.exe.4037e10.2.unpackJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
            3.0.PO 059420.exe.400000.0.unpackJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
              0.2.PO 059420.exe.4037e10.2.raw.unpackJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security

                Persistence and Installation Behavior