· 6 years ago · Sep 10, 2019, 12:44 PM
1
2* ID: 1452
3* MalFamily: "NetWire"
4
5* MalScore: 10.0
6
7* File Name: "NetWire_d831b52264a99b75cf77d673ef535961.exe"
8* File Size: 297472
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "e7caa8046823b7b5b457f535f42ce2120b3d7b2fed4fe0a4d26515b06d9b1763"
11* MD5: "d831b52264a99b75cf77d673ef535961"
12* SHA1: "30d2dedd1099116d2b6bea64196f2844fe349dc5"
13* SHA512: "cbb9b2bfa63523c57203cd9ea4fa3428a3e523f05aabaf287d3aec409db0764c7b3bea56fde72ba0a751773d624397eea17d991281a8b71c0caf361c3ab429d3"
14* CRC32: "DD262C1E"
15* SSDEEP: "6144:KAO3e3haaeS1x9PGmsuX7rZOiMAPcZlGRKCkyosBWde5K5Dg:KAh/eYTrZOitcfRl5"
16
17* Process Execution:
18 "2JdFJC2s.exe",
19 "Host.exe"
20
21
22* Executed Commands:
23 "\"C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe\" -m \"C:\\Users\\user\\AppData\\Local\\Temp\\2JdFJC2s.exe\"",
24 "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe -m \"C:\\Users\\user\\AppData\\Local\\Temp\\2JdFJC2s.exe\""
25
26
27* Signatures Detected:
28
29 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
30 "Details":
31
32
33 "Description": "Behavioural detection: Executable code extraction",
34 "Details":
35
36
37 "Description": "Possible date expiration check, exits too soon after checking local time",
38 "Details":
39
40 "process": "2JdFJC2s.exe, PID 2320"
41
42
43
44
45 "Description": "A process attempted to delay the analysis task.",
46 "Details":
47
48 "Process": "Host.exe tried to sleep 825 seconds, actually delayed analysis time by 0 seconds"
49
50
51
52
53 "Description": "Attempts to connect to a dead IP:Port (5 unique times)",
54 "Details":
55
56 "IP_ioc": "213.152.161.239:8733 (Netherlands)"
57
58
59 "IP_ioc": "109.202.107.10:8733 (Netherlands)"
60
61
62 "IP_ioc": "213.152.162.15:8733 (Netherlands)"
63
64
65 "IP_ioc": "213.152.161.229:8733 (Netherlands)"
66
67
68 "IP_ioc": "109.202.103.170:8733 (Netherlands)"
69
70
71
72
73 "Description": "Reads data out of its own binary image",
74 "Details":
75
76 "self_read": "process: 2JdFJC2s.exe, pid: 2320, offset: 0x00000000, length: 0x00048000"
77
78
79
80
81 "Description": "The binary likely contains encrypted or compressed data.",
82 "Details":
83
84 "section": "name: .text, entropy: 6.91, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00042200, virtual_size: 0x000420c0"
85
86
87
88
89 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
90 "Details":
91
92 "Spam": "2JdFJC2s.exe (2320) called API NtOpenProcess 16838 times"
93
94
95 "Spam": "Host.exe (1520) called API NtOpenProcess 16838 times"
96
97
98
99
100 "Description": "Installs itself for autorun at Windows startup",
101 "Details":
102
103 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\system"
104
105
106 "data": "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
107
108
109 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\B1R4X6Q6-38AJ-P6L0-Y740-01J2YA7AKCK3"
110
111
112 "data": "unknown"
113
114
115 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\\B1R4X6Q6-38AJ-P6L0-Y740-01J2YA7AKCK3\\StubPath"
116
117
118 "data": "\"C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe\""
119
120
121
122
123 "Description": "File has been identified by 22 Antiviruses on VirusTotal as malicious",
124 "Details":
125
126 "FireEye": "Generic.mg.d831b52264a99b75"
127
128
129 "McAfee": "Artemis!D831B52264A9"
130
131
132 "Cylance": "Unsafe"
133
134
135 "CrowdStrike": "win/malicious_confidence_90% (W)"
136
137
138 "Symantec": "Packed.Generic.525"
139
140
141 "APEX": "Malicious"
142
143
144 "ClamAV": "Win.Packed.addsub-6963063-0"
145
146
147 "Kaspersky": "UDS:DangerousObject.Multi.Generic"
148
149
150 "Rising": "Malware.Obscure/Heur!1.9E03 (CLASSIC)"
151
152
153 "Endgame": "malicious (high confidence)"
154
155
156 "Invincea": "heuristic"
157
158
159 "McAfee-GW-Edition": "BehavesLike.Win32.BadFile.dh"
160
161
162 "Trapmine": "malicious.high.ml.score"
163
164
165 "Webroot": "W32.Trojan.Gen"
166
167
168 "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
169
170
171 "Acronis": "suspicious"
172
173
174 "Malwarebytes": "Trojan.MalPack.GS"
175
176
177 "ESET-NOD32": "a variant of Win32/Kryptik.GWGY"
178
179
180 "SentinelOne": "DFI - Malicious PE"
181
182
183 "AVG": "FileRepMalware"
184
185
186 "Cybereason": "malicious.d10991"
187
188
189 "Qihoo-360": "HEUR/QVM10.1.C59D.Malware.Gen"
190
191
192
193
194 "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
195 "Details":
196
197 "target": "clamav:Win.Packed.addsub-6963063-0, sha256:e7caa8046823b7b5b457f535f42ce2120b3d7b2fed4fe0a4d26515b06d9b1763, type:PE32 executable (GUI) Intel 80386, for MS Windows"
198
199
200 "dropped": "clamav:Win.Packed.addsub-6963063-0, sha256:e7caa8046823b7b5b457f535f42ce2120b3d7b2fed4fe0a4d26515b06d9b1763 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
201
202
203
204
205 "Description": "Creates a copy of itself",
206 "Details":
207
208 "copy": "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
209
210
211
212
213 "Description": "Drops a binary and executes it",
214 "Details":
215
216 "binary": "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
217
218
219
220
221
222* Started Service:
223
224* Mutexes:
225 "oDEDWxKJ"
226
227
228* Modified Files:
229 "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
230
231
232* Deleted Files:
233 "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
234
235
236* Modified Registry Keys:
237 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\system",
238 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\B1R4X6Q6-38AJ-P6L0-Y740-01J2YA7AKCK3",
239 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\\B1R4X6Q6-38AJ-P6L0-Y740-01J2YA7AKCK3\\StubPath",
240 "HKEY_CURRENT_USER\\SOFTWARE\\NetWire",
241 "HKEY_CURRENT_USER\\Software\\NetWire\\HostId",
242 "HKEY_CURRENT_USER\\Software\\NetWire\\Install Date"
243
244
245* Deleted Registry Keys:
246
247* DNS Communications:
248
249* Domains:
250
251* Network Communication - ICMP:
252
253* Network Communication - HTTP:
254
255* Network Communication - SMTP:
256
257* Network Communication - Hosts:
258
259 "country_name": "Netherlands",
260 "ip": "213.152.162.15",
261 "inaddrarpa": "",
262 "hostname": ""
263
264
265 "country_name": "Netherlands",
266 "ip": "213.152.161.239",
267 "inaddrarpa": "",
268 "hostname": ""
269
270
271 "country_name": "Netherlands",
272 "ip": "213.152.161.229",
273 "inaddrarpa": "",
274 "hostname": ""
275
276
277 "country_name": "Netherlands",
278 "ip": "109.202.107.10",
279 "inaddrarpa": "",
280 "hostname": ""
281
282
283 "country_name": "Netherlands",
284 "ip": "109.202.103.170",
285 "inaddrarpa": "",
286 "hostname": ""
287
288
289
290* Network Communication - IRC: