Windows Analysis Report
1qP1OtArnx.exe

Overview

General Information

Sample name: 1qP1OtArnx.exe
renamed because original name is a hash value
Original sample name: de04bfb0017396977c37fedb18d30e174080c71d1e9e7e0054577ca0d8b1e5ce.exe
Analysis ID: 1447644
MD5: 979bfece223c27b05fcd7e99117e6d19
SHA1: 67962481e46a3ae4419a7d7f725d9bce35d1d37f
SHA256: de04bfb0017396977c37fedb18d30e174080c71d1e9e7e0054577ca0d8b1e5ce
Tags: exe
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

NetWire
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected NetWire RAT
Yara detected Netwire RAT
Machine Learning detection for sample
PE file has nameless sections
Installs a raw input device (often for capturing keystrokes)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
NetWire RC, NetWire Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.Keylog files are stored on the infected machine in an obfuscated form. The algorithm is: for i in range(0,num_read): buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF
  • APT33
 https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 1qP1OtArnx.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: 1qP1OtArnx.exe Virustotal: Detection: 68% Perma Link
Source: 1qP1OtArnx.exe ReversingLabs: Detection: 70%
Machine Learning detection for sample
Source: 1qP1OtArnx.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 1qP1OtArnx.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Installs a raw input device (often for capturing keystrokes)
Source: 1qP1OtArnx.exe Binary or memory string: RegisterRawInputDevices memstr_cdbdc4f6-f

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1qP1OtArnx.exe, type: SAMPLE Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 1qP1OtArnx.exe, type: SAMPLE Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 1qP1OtArnx.exe, type: SAMPLE Matched rule: Detects credential stealer byed on many strings that indicate password store access Author: Florian Roth
Source: 1qP1OtArnx.exe, type: SAMPLE Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 1qP1OtArnx.exe, type: SAMPLE Matched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings
Source: 1qP1OtArnx.exe, type: SAMPLE Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: 1qP1OtArnx.exe, type: SAMPLE Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
PE file has nameless sections
Source: 1qP1OtArnx.exe Static PE information: section name:
Source: 1qP1OtArnx.exe Static PE information: section name:
Uses 32bit PE files
Source: 1qP1OtArnx.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Yara signature match
Source: 1qP1OtArnx.exe, type: SAMPLE Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 1qP1OtArnx.exe, type: SAMPLE Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 1qP1OtArnx.exe, type: SAMPLE Matched rule: CredentialStealer_Generic_Backdoor date = 2017-06-07, hash1 = edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c, author = Florian Roth, description = Detects credential stealer byed on many strings that indicate password store access, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1qP1OtArnx.exe, type: SAMPLE Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1qP1OtArnx.exe, type: SAMPLE Matched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire
Source: 1qP1OtArnx.exe, type: SAMPLE Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: 1qP1OtArnx.exe, type: SAMPLE Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal88.troj.winEXE@0/0@0/0
Source: 1qP1OtArnx.exe Virustotal: Detection: 68%
Source: 1qP1OtArnx.exe ReversingLabs: Detection: 70%
PE file contains an invalid checksum
Source: 1qP1OtArnx.exe Static PE information: real checksum: 0x24fba should be: 0x227f0
PE file contains sections with non-standard names
Source: 1qP1OtArnx.exe Static PE information: section name:
Source: 1qP1OtArnx.exe Static PE information: section name:
Source: 1qP1OtArnx.exe Static PE information: section name: 8
Yara detected Credential Stealer
Source: Yara match File source: 1qP1OtArnx.exe, type: SAMPLE

Remote Access Functionality
barindex
Yara detected NetWire RAT
Source: Yara match File source: 1qP1OtArnx.exe, type: SAMPLE
Yara detected Netwire RAT
Source: Yara match File source: 1qP1OtArnx.exe, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1447644 Sample: 1qP1OtArnx.exe Startdate: 26/05/2024 Architecture: WINDOWS Score: 88 5 Malicious sample detected (through community Yara rule) 2->5 7 Antivirus / Scanner detection for submitted sample 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 4 other signatures 2->11
No contacted IP infos