· 6 years ago · Sep 04, 2019, 11:23 PM
1
2* ID: 1099
3* MalFamily: "NetWire"
4
5* MalScore: 10.0
6
7* File Name: "NetWire_82cf92967ff37089ac670b63f2dd45e6.txt"
8* File Size: 557056
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "285074cbfbb186cb746a1e03a3b3ca95cb3611987c0aab3433978268fb590aa1"
11* MD5: "82cf92967ff37089ac670b63f2dd45e6"
12* SHA1: "37cdf11edd5bf245d7d0ab61939c920270ec8cbe"
13* SHA512: "4658d213a8e4688d156b32f393092d1474679544488b11f72c439e0feb1ff18ebcbbf7c83d49f6e0e947670aab244e4481b28b3c8dbfd382452bfbb1591e2323"
14* CRC32: "FA427131"
15* SSDEEP: "12288:zWkjHZV+Lfb1CnBOeMLpjOxpA+Ua2Hj+:qGlBHMZLY"
16
17* Process Execution:
18 "dHHJ9vjbQZ6.exe",
19 "dHHJ9vjbQZ6.exe",
20 "Host.exe",
21 "Host.exe"
22
23
24* Executed Commands:
25 "\"C:\\Users\\user\\AppData\\Local\\Temp\\dHHJ9vjbQZ6.exe\"",
26 "\"C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe\""
27
28
29* Signatures Detected:
30
31 "Description": "Behavioural detection: Executable code extraction",
32 "Details":
33
34
35 "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
36 "Details":
37
38 "IP_ioc": "212.7.208.123:8765 (Netherlands)"
39
40
41
42
43 "Description": "Creates RWX memory",
44 "Details":
45
46
47 "Description": "A process attempted to delay the analysis task.",
48 "Details":
49
50 "Process": "Host.exe tried to sleep 754 seconds, actually delayed analysis time by 0 seconds"
51
52
53
54
55 "Description": "Reads data out of its own binary image",
56 "Details":
57
58 "self_read": "process: dHHJ9vjbQZ6.exe, pid: 624, offset: 0x00000000, length: 0x00088000"
59
60
61
62
63 "Description": "Drops a binary and executes it",
64 "Details":
65
66 "binary": "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
67
68
69
70
71 "Description": "Behavioural detection: Injection (Process Hollowing)",
72 "Details":
73
74 "Injection": "dHHJ9vjbQZ6.exe(2320) -> dHHJ9vjbQZ6.exe(624)"
75
76
77
78
79 "Description": "Executed a process and injected code into it, probably while unpacking",
80 "Details":
81
82 "Injection": "dHHJ9vjbQZ6.exe(2320) -> dHHJ9vjbQZ6.exe(624)"
83
84
85
86
87 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
88 "Details":
89
90 "Spam": "dHHJ9vjbQZ6.exe (2320) called API GetLocalTime 106937 times"
91
92
93 "Spam": "Host.exe (2372) called API GetLocalTime 106937 times"
94
95
96
97
98 "Description": "Installs itself for autorun at Windows startup",
99 "Details":
100
101 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\windows"
102
103
104 "data": "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
105
106
107 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\L501JP3X-C6PC-RH36-475X-RS2C2OQHHGS0"
108
109
110 "data": "unknown"
111
112
113 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\\L501JP3X-C6PC-RH36-475X-RS2C2OQHHGS0\\StubPath"
114
115
116 "data": "\"C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe\""
117
118
119
120
121 "Description": "File has been identified by 21 Antiviruses on VirusTotal as malicious",
122 "Details":
123
124 "MicroWorld-eScan": "Gen:Variant.Razy.551446"
125
126
127 "McAfee": "Fareit-FPT!82CF92967FF3"
128
129
130 "Cylance": "Unsafe"
131
132
133 "Cybereason": "malicious.edd5bf"
134
135
136 "Invincea": "heuristic"
137
138
139 "F-Prot": "W32/VBKrypt.SQ.gen!Eldorado"
140
141
142 "APEX": "Malicious"
143
144
145 "Paloalto": "generic.ml"
146
147
148 "Endgame": "malicious (high confidence)"
149
150
151 "Trapmine": "malicious.moderate.ml.score"
152
153
154 "FireEye": "Generic.mg.82cf92967ff37089"
155
156
157 "SentinelOne": "DFI - Suspicious PE"
158
159
160 "Cyren": "W32/VBKrypt.SQ.gen!Eldorado"
161
162
163 "Microsoft": "Trojan:Win32/Fuerboos.C!cl"
164
165
166 "AhnLab-V3": "Trojan/Win32.VBKrypt.R290013"
167
168
169 "Acronis": "suspicious"
170
171
172 "MAX": "malware (ai score=84)"
173
174
175 "Malwarebytes": "Trojan.MalPack.VB.Generic"
176
177
178 "ESET-NOD32": "a variant of Win32/Injector.EHPN"
179
180
181 "Fortinet": "W32/GenKryptik.DRZR!tr"
182
183
184 "CrowdStrike": "win/malicious_confidence_60% (D)"
185
186
187
188
189 "Description": "Creates a copy of itself",
190 "Details":
191
192 "copy": "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
193
194
195
196
197
198* Started Service:
199
200* Mutexes:
201 "-"
202
203
204* Modified Files:
205 "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
206
207
208* Deleted Files:
209 "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
210
211
212* Modified Registry Keys:
213 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\windows",
214 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\L501JP3X-C6PC-RH36-475X-RS2C2OQHHGS0",
215 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\\L501JP3X-C6PC-RH36-475X-RS2C2OQHHGS0\\StubPath"
216
217
218* Deleted Registry Keys:
219
220* DNS Communications:
221
222* Domains:
223
224* Network Communication - ICMP:
225
226* Network Communication - HTTP:
227
228* Network Communication - SMTP:
229
230* Network Communication - Hosts:
231
232 "country_name": "Netherlands",
233 "ip": "212.7.208.123",
234 "inaddrarpa": "",
235 "hostname": ""
236
237
238
239* Network Communication - IRC: