1099NetWire_82cf92967ff37089ac670b63f2dd45e6_txt_2019-09-04_18_30.txt

1.  
2. * ID: 1099
3. * MalFamily: "NetWire"
4.  
5. * MalScore: 10.0
6.  
7. * File Name: "NetWire_82cf92967ff37089ac670b63f2dd45e6.txt"
8. * File Size: 557056
9. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10. * SHA256: "285074cbfbb186cb746a1e03a3b3ca95cb3611987c0aab3433978268fb590aa1"
11. * MD5: "82cf92967ff37089ac670b63f2dd45e6"
12. * SHA1: "37cdf11edd5bf245d7d0ab61939c920270ec8cbe"
13. * SHA512: "4658d213a8e4688d156b32f393092d1474679544488b11f72c439e0feb1ff18ebcbbf7c83d49f6e0e947670aab244e4481b28b3c8dbfd382452bfbb1591e2323"
14. * CRC32: "FA427131"
15. * SSDEEP: "12288:zWkjHZV+Lfb1CnBOeMLpjOxpA+Ua2Hj+:qGlBHMZLY"
16.  
17. * Process Execution:
18. "dHHJ9vjbQZ6.exe",
19. "dHHJ9vjbQZ6.exe",
20. "Host.exe",
21. "Host.exe"
22.  
23.  
24. * Executed Commands:
25. "\"C:\\Users\\user\\AppData\\Local\\Temp\\dHHJ9vjbQZ6.exe\"",
26. "\"C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe\""
27.  
28.  
29. * Signatures Detected:
30.  
31. "Description": "Behavioural detection: Executable code extraction",
32. "Details":
33.  
34.  
35. "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
36. "Details":
37.  
38. "IP_ioc": "212.7.208.123:8765 (Netherlands)"
39.  
40.  
41.  
42.  
43. "Description": "Creates RWX memory",
44. "Details":
45.  
46.  
47. "Description": "A process attempted to delay the analysis task.",
48. "Details":
49.  
50. "Process": "Host.exe tried to sleep 754 seconds, actually delayed analysis time by 0 seconds"
51.  
52.  
53.  
54.  
55. "Description": "Reads data out of its own binary image",
56. "Details":
57.  
58. "self_read": "process: dHHJ9vjbQZ6.exe, pid: 624, offset: 0x00000000, length: 0x00088000"
59.  
60.  
61.  
62.  
63. "Description": "Drops a binary and executes it",
64. "Details":
65.  
66. "binary": "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
67.  
68.  
69.  
70.  
71. "Description": "Behavioural detection: Injection (Process Hollowing)",
72. "Details":
73.  
74. "Injection": "dHHJ9vjbQZ6.exe(2320) -> dHHJ9vjbQZ6.exe(624)"
75.  
76.  
77.  
78.  
79. "Description": "Executed a process and injected code into it, probably while unpacking",
80. "Details":
81.  
82. "Injection": "dHHJ9vjbQZ6.exe(2320) -> dHHJ9vjbQZ6.exe(624)"
83.  
84.  
85.  
86.  
87. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
88. "Details":
89.  
90. "Spam": "dHHJ9vjbQZ6.exe (2320) called API GetLocalTime 106937 times"
91.  
92.  
93. "Spam": "Host.exe (2372) called API GetLocalTime 106937 times"
94.  
95.  
96.  
97.  
98. "Description": "Installs itself for autorun at Windows startup",
99. "Details":
100.  
101. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\windows"
102.  
103.  
104. "data": "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
105.  
106.  
107. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\L501JP3X-C6PC-RH36-475X-RS2C2OQHHGS0"
108.  
109.  
110. "data": "unknown"
111.  
112.  
113. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\\L501JP3X-C6PC-RH36-475X-RS2C2OQHHGS0\\StubPath"
114.  
115.  
116. "data": "\"C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe\""
117.  
118.  
119.  
120.  
121. "Description": "File has been identified by 21 Antiviruses on VirusTotal as malicious",
122. "Details":
123.  
124. "MicroWorld-eScan": "Gen:Variant.Razy.551446"
125.  
126.  
127. "McAfee": "Fareit-FPT!82CF92967FF3"
128.  
129.  
130. "Cylance": "Unsafe"
131.  
132.  
133. "Cybereason": "malicious.edd5bf"
134.  
135.  
136. "Invincea": "heuristic"
137.  
138.  
139. "F-Prot": "W32/VBKrypt.SQ.gen!Eldorado"
140.  
141.  
142. "APEX": "Malicious"
143.  
144.  
145. "Paloalto": "generic.ml"
146.  
147.  
148. "Endgame": "malicious (high confidence)"
149.  
150.  
151. "Trapmine": "malicious.moderate.ml.score"
152.  
153.  
154. "FireEye": "Generic.mg.82cf92967ff37089"
155.  
156.  
157. "SentinelOne": "DFI - Suspicious PE"
158.  
159.  
160. "Cyren": "W32/VBKrypt.SQ.gen!Eldorado"
161.  
162.  
163. "Microsoft": "Trojan:Win32/Fuerboos.C!cl"
164.  
165.  
166. "AhnLab-V3": "Trojan/Win32.VBKrypt.R290013"
167.  
168.  
169. "Acronis": "suspicious"
170.  
171.  
172. "MAX": "malware (ai score=84)"
173.  
174.  
175. "Malwarebytes": "Trojan.MalPack.VB.Generic"
176.  
177.  
178. "ESET-NOD32": "a variant of Win32/Injector.EHPN"
179.  
180.  
181. "Fortinet": "W32/GenKryptik.DRZR!tr"
182.  
183.  
184. "CrowdStrike": "win/malicious_confidence_60% (D)"
185.  
186.  
187.  
188.  
189. "Description": "Creates a copy of itself",
190. "Details":
191.  
192. "copy": "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
193.  
194.  
195.  
196.  
197.  
198. * Started Service:
199.  
200. * Mutexes:
201. "-"
202.  
203.  
204. * Modified Files:
205. "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
206.  
207.  
208. * Deleted Files:
209. "C:\\Users\\user\\AppData\\Roaming\\Install\\Host.exe"
210.  
211.  
212. * Modified Registry Keys:
213. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\windows",
214. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\L501JP3X-C6PC-RH36-475X-RS2C2OQHHGS0",
215. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\\L501JP3X-C6PC-RH36-475X-RS2C2OQHHGS0\\StubPath"
216.  
217.  
218. * Deleted Registry Keys:
219.  
220. * DNS Communications:
221.  
222. * Domains:
223.  
224. * Network Communication - ICMP:
225.  
226. * Network Communication - HTTP:
227.  
228. * Network Communication - SMTP:
229.  
230. * Network Communication - Hosts:
231.  
232. "country_name": "Netherlands",
233. "ip": "212.7.208.123",
234. "inaddrarpa": "",
235. "hostname": ""
236.  
237.  
238.  
239. * Network Communication - IRC: