Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1qP1OtArnx.exe

Overview

General Information

Sample name:1qP1OtArnx.exe
renamed because original name is a hash value
Original sample name:de04bfb0017396977c37fedb18d30e174080c71d1e9e7e0054577ca0d8b1e5ce.exe
Analysis ID:1447644
MD5:979bfece223c27b05fcd7e99117e6d19
SHA1:67962481e46a3ae4419a7d7f725d9bce35d1d37f
SHA256:de04bfb0017396977c37fedb18d30e174080c71d1e9e7e0054577ca0d8b1e5ce
Tags:exe
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

NetWire
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected NetWire RAT
Yara detected Netwire RAT
Machine Learning detection for sample
PE file has nameless sections
Installs a raw input device (often for capturing keystrokes)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NetWire RC, NetWireNetwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.Keylog files are stored on the infected machine in an obfuscated form. The algorithm is: for i in range(0,num_read): buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF
  • APT33
https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1qP1OtArnx.exeJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
    1qP1OtArnx.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      1qP1OtArnx.exeJoeSecurity_NetwireYara detected Netwire RATJoe Security
        1qP1OtArnx.exeWindows_Trojan_Netwire_6a7df287unknownunknown
        • 0x532d:$a: 0F B6 74 0C 10 89 CF 29 C7 F7 C6 DF 00 00 00 74 09 41 89 F3 88 5C
        1qP1OtArnx.exeWindows_Trojan_Netwire_1b43df38unknownunknown
        • 0x14674:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d]
        • 0x142b6:$a2: \Login Data
        • 0x142e1:$a2: \Login Data
        • 0x1430e:$a2: \Login Data
        Click to see the 5 entries

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: 1qP1OtArnx.exeAvira: detected
        Multi AV Scanner detection for submitted file
        Source: 1qP1OtArnx.exeVirustotal: Detection: 68%Perma Link
        Source: 1qP1OtArnx.exeReversingLabs: Detection: 70%
        Machine Learning detection for sample
        Source: 1qP1OtArnx.exeJoe Sandbox ML: detected
        Source: 1qP1OtArnx.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
        Source: 1qP1OtArnx.exeBinary or memory string: RegisterRawInputDevicesmemstr_cdbdc4f6-f

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 1qP1OtArnx.exe, type: SAMPLEMatched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
        Source: 1qP1OtArnx.exe, type: SAMPLEMatched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
        Source: 1qP1OtArnx.exe, type: SAMPLEMatched rule: Detects credential stealer byed on many strings that indicate password store access Author: Florian Roth
        Source: 1qP1OtArnx.exe, type: SAMPLEMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: 1qP1OtArnx.exe, type: SAMPLEMatched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings
        Source: 1qP1OtArnx.exe, type: SAMPLEMatched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
        Source: 1qP1OtArnx.exe, type: SAMPLEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        PE file has nameless sections
        Source: 1qP1OtArnx.exeStatic PE information: section name:
        Source: 1qP1OtArnx.exeStatic PE information: section name:
        Source: 1qP1OtArnx.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
        Source: 1qP1OtArnx.exe, type: SAMPLEMatched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
        Source: 1qP1OtArnx.exe, type: SAMPLEMatched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
        Source: 1qP1OtArnx.exe, type: SAMPLEMatched rule: CredentialStealer_Generic_Backdoor date = 2017-06-07, hash1 = edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c, author = Florian Roth, description = Detects credential stealer byed on many strings that indicate password store access, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1qP1OtArnx.exe, type: SAMPLEMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1qP1OtArnx.exe, type: SAMPLEMatched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire
        Source: 1qP1OtArnx.exe, type: SAMPLEMatched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
        Source: 1qP1OtArnx.exe, type: SAMPLEMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: classification engineClassification label: mal88.troj.winEXE@0/0@0/0
        Source: 1qP1OtArnx.exeVirustotal: Detection: 68%
        Source: 1qP1OtArnx.exeReversingLabs: Detection: 70%
        Source: 1qP1OtArnx.exeStatic PE information: real checksum: 0x24fba should be: 0x227f0
        Source: 1qP1OtArnx.exeStatic PE information: section name:
        Source: 1qP1OtArnx.exeStatic PE information: section name:
        Source: 1qP1OtArnx.exeStatic PE information: section name: 8
        Source: Yara matchFile source: 1qP1OtArnx.exe, type: SAMPLE

        Remote Access Functionality

        barindex
        Yara detected NetWire RAT
        Source: Yara matchFile source: 1qP1OtArnx.exe, type: SAMPLE
        Yara detected Netwire RAT
        Source: Yara matchFile source: 1qP1OtArnx.exe, type: SAMPLE

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access11
        Input Capture        		System Service DiscoveryRemote Services11
        Input Capture        		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        1qP1OtArnx.exe69%VirustotalBrowse
        1qP1OtArnx.exe71%ReversingLabsWin32.Trojan.Ulise
        1qP1OtArnx.exe100%AviraTR/Crypt.XPACK.Gen
        1qP1OtArnx.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        No contacted domains info

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1447644
        Start date and time:2024-05-26 09:55:12 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 1m 40s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:0
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:1qP1OtArnx.exe
        renamed because original name is a hash value
        Original Sample Name:de04bfb0017396977c37fedb18d30e174080c71d1e9e7e0054577ca0d8b1e5ce.exe
        Detection:MAL
        Classification:mal88.troj.winEXE@0/0@0/0
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Unable to launch sample, stop analysis

        Errors

        • No process behavior to analyse as no analysis process or sample was found
        • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Entropy (8bit):5.565168643178797
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.94%
        • Win16/32 Executable Delphi generic (2074/23) 0.02%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:1qP1OtArnx.exe
        File size:122'880 bytes
        MD5:979bfece223c27b05fcd7e99117e6d19
        SHA1:67962481e46a3ae4419a7d7f725d9bce35d1d37f
        SHA256:de04bfb0017396977c37fedb18d30e174080c71d1e9e7e0054577ca0d8b1e5ce
        SHA512:818f0f83bf679d3b5ea785db992b6feecf1b429143e244f03fc9c0bb145e085b9872e371306d1d378c97bbbe17cff1b15b1eb5cdf720e583e8f7689095ba309e
        SSDEEP:3072:Gr/zIEyQIrPP+V4MrdN/086ibgqGWkca/:GrsEyQUPP0xFsYW/
        TLSH:C5C3E819FA0BE0F2EE0E0D7161CBF6AF4B786920D864CE51DF840D43EA53D636219B95
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......V...............8.........d...!.......0....@..................................O........ ............................

        File Icon

        Icon Hash:90cececece8e8eb0

        Static PE Info

        General

        Entrypoint:0x4021da
        Entrypoint Section:
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
        DLL Characteristics:NX_COMPAT
        Time Stamp:0x560EA2E9 [Fri Oct 2 15:29:45 2015 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:eaf9915d2b5730c3717ea003bd93404a

        Entrypoint Preview

        Instruction
        push ebp
        mov eax, 0000103Ch
        push edi
        push esi
        push ebx
        call 00007FEBC45093A1h
        sub esp, eax
        call 00007FEBC44FA69Ah
        lea ebp, dword ptr [esp+28h]
        call 00007FEBC450648Dh
        lea ebx, dword ptr [esp+2Ch]
        call 00007FEBC4505BE0h
        call 00007FEBC4503B2Bh
        call 00007FEBC4503289h
        call 00007FEBC450370Dh
        mov dword ptr [esp+2Ch], FFFFFFFFh
        mov eax, dword ptr [esp+2Ch]
        mov dword ptr [esp+08h], 00000004h
        mov dword ptr [esp+04h], ebp
        mov dword ptr [esp+28h], 00000000h
        mov dword ptr [esp], eax
        call 00007FEBC44FAD19h
        test al, al
        je 00007FEBC44F8DDFh
        mov edi, dword ptr [esp+28h]
        mov esi, dword ptr [esp+2Ch]
        mov dword ptr [esp+04h], edi
        mov dword ptr [esp], esi
        call 00007FEBC44F8C77h
        test al, al
        je 00007FEBC44F8CF2h
        lea eax, dword ptr [esp+30h]
        mov dword ptr [esp+08h], edi
        mov dword ptr [esp+04h], eax
        mov dword ptr [esp], esi
        call 00007FEBC44FACE5h
        test al, al
        je 00007FEBC44F8D9Ah
        mov esi, dword ptr [esp+28h]
        cmp esi, 00000FFFh
        jnbe 00007FEBC44F8D37h
        mov byte ptr [esp+esi+30h], 00000000h
        movzx edx, byte ptr [esp+30h]
        mov edi, dword ptr [esp+2Ch]
        mov dword ptr [esp+04h], edx
        mov dword ptr [esp], edi
        mov dword ptr [esp+1Ch], edx
        call 00007FEBC44F8C58h
        mov edx, dword ptr [esp+1Ch]
        test al, al
        jne 00007FEBC44F8D4Bh

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x1c0000x10fc
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x1c30c0x258
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        0x00x40x1e000ae7d8d5c743c63e941cfd5a05c419182False0.4224248293067227data5.588870519398314IMAGE_SCN_LNK_COMDAT
        0x100x00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0
        80x64000x2e000x21daf28db5a28d857ebe30a1bc2f4ee6fcdcFalse0.5346180475421186data6.00062430488322IMAGE_SCN_LNK_INFO

        Imports

        DLLImport
        ADVAPI32.DLLCryptAcquireContextA, CryptCreateHash, CryptDestroyHash, CryptGetHashParam, CryptHashData, CryptReleaseContext, GetUserNameA, RegCloseKey, RegCreateKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumKeyExA, RegEnumValueA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA
        CRYPT32.DLLCryptUnprotectData
        GDI32.dllBitBlt, CreateCompatibleBitmap, CreateCompatibleDC, DeleteDC, DeleteObject, GetDIBits, SelectObject
        KERNEL32.dllCloseHandle, CreateDirectoryA, CreateFileA, CreateMutexA, CreatePipe, CreateProcessA, CreateToolhelp32Snapshot, DeleteFileA, EnterCriticalSection, ExitProcess, FileTimeToSystemTime, FindClose, FindFirstFileA, FindNextFileA, FreeLibrary, GetCommandLineA, GetComputerNameA, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceExA, GetDriveTypeA, GetFileAttributesA, GetFileAttributesExA, GetLastError, GetLocalTime, GetLogicalDriveStringsA, GetModuleFileNameA, GetProcAddress, GetProcessTimes, GetStartupInfoA, GetSystemInfo, GetSystemTime, GetTickCount, GetVersionExA, GetVolumeInformationA, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, LocalFree, MoveFileA, OpenProcess, PeekNamedPipe, Process32First, Process32Next, ReadFile, ReleaseMutex, ResumeThread, SetErrorMode, SetFileAttributesA, SetFilePointer, Sleep, TerminateProcess, WideCharToMultiByte, WriteFile
        msvcrt.dll_beginthreadex, _filelengthi64, _vscprintf, _vsnprintf, fclose, fflush, fgetpos, fgets, fopen, fread, free, fsetpos, fwrite, getenv, malloc, realloc, strlen
        SHELL32.DLLSHGetPathFromIDListA, SHGetSpecialFolderLocation
        USER32.dllCreateWindowExA, DefWindowProcA, DispatchMessageA, EnumWindows, GetDC, GetDesktopWindow, GetForegroundWindow, GetKeyNameTextA, GetKeyState, GetKeyboardState, GetMessageA, GetSystemMetrics, GetWindowTextA, IsWindowVisible, MapVirtualKeyA, PostQuitMessage, RegisterClassExA, ReleaseDC, SendMessageA, SetCursorPos, SetWindowTextA, ShowWindow, ToAscii, TranslateMessage, keybd_event, mouse_event
        WS2_32.dllWSACleanup, WSAGetLastError, WSAIoctl, WSAStartup, __WSAFDIsSet, closesocket, connect, gethostbyname, gethostname, htons, inet_ntoa, ioctlsocket, ntohs, recv, select, send, setsockopt, shutdown, socket

        Network Behavior

        No network behavior found

        Statistics

        No statistics

        System Behavior

        No system behavior

        Disassembly

        No disassembly