Windows
Analysis Report
1qP1OtArnx.exe
Overview
General Information
Sample name: | 1qP1OtArnx.exerenamed because original name is a hash value |
Original sample name: | de04bfb0017396977c37fedb18d30e174080c71d1e9e7e0054577ca0d8b1e5ce.exe |
Analysis ID: | 1447644 |
MD5: | 979bfece223c27b05fcd7e99117e6d19 |
SHA1: | 67962481e46a3ae4419a7d7f725d9bce35d1d37f |
SHA256: | de04bfb0017396977c37fedb18d30e174080c71d1e9e7e0054577ca0d8b1e5ce |
Tags: | exe |
Infos: | |
Errors
|
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
NetWire RC, NetWire | Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.Keylog files are stored on the infected machine in an obfuscated form. The algorithm is: for i in range(0,num_read): buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_NetWire_1 | Yara detected NetWire RAT | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_Netwire | Yara detected Netwire RAT | Joe Security | ||
Windows_Trojan_Netwire_6a7df287 | unknown | unknown |
| |
Windows_Trojan_Netwire_1b43df38 | unknown | unknown |
| |
Click to see the 5 entries |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary or memory string: | memstr_cdbdc4f6-f |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: |
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | Direct Volume Access | 11 Input Capture | System Service Discovery | Remote Services | 11 Input Capture | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
69% | Virustotal | Browse | ||
71% | ReversingLabs | Win32.Trojan.Ulise | ||
100% | Avira | TR/Crypt.XPACK.Gen | ||
100% | Joe Sandbox ML |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1447644 |
Start date and time: | 2024-05-26 09:55:12 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 1m 40s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 0 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 1qP1OtArnx.exerenamed because original name is a hash value |
Original Sample Name: | de04bfb0017396977c37fedb18d30e174080c71d1e9e7e0054577ca0d8b1e5ce.exe |
Detection: | MAL |
Classification: | mal88.troj.winEXE@0/0@0/0 |
Cookbook Comments: |
|
- No process behavior to analyse as no analysis process or sample was found
- Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.
File type: | |
Entropy (8bit): | 5.565168643178797 |
TrID: |
|
File name: | 1qP1OtArnx.exe |
File size: | 122'880 bytes |
MD5: | 979bfece223c27b05fcd7e99117e6d19 |
SHA1: | 67962481e46a3ae4419a7d7f725d9bce35d1d37f |
SHA256: | de04bfb0017396977c37fedb18d30e174080c71d1e9e7e0054577ca0d8b1e5ce |
SHA512: | 818f0f83bf679d3b5ea785db992b6feecf1b429143e244f03fc9c0bb145e085b9872e371306d1d378c97bbbe17cff1b15b1eb5cdf720e583e8f7689095ba309e |
SSDEEP: | 3072:Gr/zIEyQIrPP+V4MrdN/086ibgqGWkca/:GrsEyQUPP0xFsYW/ |
TLSH: | C5C3E819FA0BE0F2EE0E0D7161CBF6AF4B786920D864CE51DF840D43EA53D636219B95 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......V...............8.........d...!.......0....@..................................O........ ............................ |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x4021da |
Entrypoint Section: | |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
DLL Characteristics: | NX_COMPAT |
Time Stamp: | 0x560EA2E9 [Fri Oct 2 15:29:45 2015 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | eaf9915d2b5730c3717ea003bd93404a |
Instruction |
---|
push ebp |
mov eax, 0000103Ch |
push edi |
push esi |
push ebx |
call 00007FEBC45093A1h |
sub esp, eax |
call 00007FEBC44FA69Ah |
lea ebp, dword ptr [esp+28h] |
call 00007FEBC450648Dh |
lea ebx, dword ptr [esp+2Ch] |
call 00007FEBC4505BE0h |
call 00007FEBC4503B2Bh |
call 00007FEBC4503289h |
call 00007FEBC450370Dh |
mov dword ptr [esp+2Ch], FFFFFFFFh |
mov eax, dword ptr [esp+2Ch] |
mov dword ptr [esp+08h], 00000004h |
mov dword ptr [esp+04h], ebp |
mov dword ptr [esp+28h], 00000000h |
mov dword ptr [esp], eax |
call 00007FEBC44FAD19h |
test al, al |
je 00007FEBC44F8DDFh |
mov edi, dword ptr [esp+28h] |
mov esi, dword ptr [esp+2Ch] |
mov dword ptr [esp+04h], edi |
mov dword ptr [esp], esi |
call 00007FEBC44F8C77h |
test al, al |
je 00007FEBC44F8CF2h |
lea eax, dword ptr [esp+30h] |
mov dword ptr [esp+08h], edi |
mov dword ptr [esp+04h], eax |
mov dword ptr [esp], esi |
call 00007FEBC44FACE5h |
test al, al |
je 00007FEBC44F8D9Ah |
mov esi, dword ptr [esp+28h] |
cmp esi, 00000FFFh |
jnbe 00007FEBC44F8D37h |
mov byte ptr [esp+esi+30h], 00000000h |
movzx edx, byte ptr [esp+30h] |
mov edi, dword ptr [esp+2Ch] |
mov dword ptr [esp+04h], edx |
mov dword ptr [esp], edi |
mov dword ptr [esp+1Ch], edx |
call 00007FEBC44F8C58h |
mov edx, dword ptr [esp+1Ch] |
test al, al |
jne 00007FEBC44F8D4Bh |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1c000 | 0x10fc | |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1c30c | 0x258 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
0x0 | 0x4 | 0x1e000 | ae7d8d5c743c63e941cfd5a05c419182 | False | 0.4224248293067227 | data | 5.588870519398314 | IMAGE_SCN_LNK_COMDAT | |
0x10 | 0x0 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | ||
8 | 0x6400 | 0x2e00 | 0x21da | f28db5a28d857ebe30a1bc2f4ee6fcdc | False | 0.5346180475421186 | data | 6.00062430488322 | IMAGE_SCN_LNK_INFO |
DLL | Import |
---|---|
ADVAPI32.DLL | CryptAcquireContextA, CryptCreateHash, CryptDestroyHash, CryptGetHashParam, CryptHashData, CryptReleaseContext, GetUserNameA, RegCloseKey, RegCreateKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumKeyExA, RegEnumValueA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA |
CRYPT32.DLL | CryptUnprotectData |
GDI32.dll | BitBlt, CreateCompatibleBitmap, CreateCompatibleDC, DeleteDC, DeleteObject, GetDIBits, SelectObject |
KERNEL32.dll | CloseHandle, CreateDirectoryA, CreateFileA, CreateMutexA, CreatePipe, CreateProcessA, CreateToolhelp32Snapshot, DeleteFileA, EnterCriticalSection, ExitProcess, FileTimeToSystemTime, FindClose, FindFirstFileA, FindNextFileA, FreeLibrary, GetCommandLineA, GetComputerNameA, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceExA, GetDriveTypeA, GetFileAttributesA, GetFileAttributesExA, GetLastError, GetLocalTime, GetLogicalDriveStringsA, GetModuleFileNameA, GetProcAddress, GetProcessTimes, GetStartupInfoA, GetSystemInfo, GetSystemTime, GetTickCount, GetVersionExA, GetVolumeInformationA, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, LocalFree, MoveFileA, OpenProcess, PeekNamedPipe, Process32First, Process32Next, ReadFile, ReleaseMutex, ResumeThread, SetErrorMode, SetFileAttributesA, SetFilePointer, Sleep, TerminateProcess, WideCharToMultiByte, WriteFile |
msvcrt.dll | _beginthreadex, _filelengthi64, _vscprintf, _vsnprintf, fclose, fflush, fgetpos, fgets, fopen, fread, free, fsetpos, fwrite, getenv, malloc, realloc, strlen |
SHELL32.DLL | SHGetPathFromIDListA, SHGetSpecialFolderLocation |
USER32.dll | CreateWindowExA, DefWindowProcA, DispatchMessageA, EnumWindows, GetDC, GetDesktopWindow, GetForegroundWindow, GetKeyNameTextA, GetKeyState, GetKeyboardState, GetMessageA, GetSystemMetrics, GetWindowTextA, IsWindowVisible, MapVirtualKeyA, PostQuitMessage, RegisterClassExA, ReleaseDC, SendMessageA, SetCursorPos, SetWindowTextA, ShowWindow, ToAscii, TranslateMessage, keybd_event, mouse_event |
WS2_32.dll | WSACleanup, WSAGetLastError, WSAIoctl, WSAStartup, __WSAFDIsSet, closesocket, connect, gethostbyname, gethostname, htons, inet_ntoa, ioctlsocket, ntohs, recv, select, send, setsockopt, shutdown, socket |