Windows Analysis Report
KnegJ4k3ic.exe

Overview

General Information

Sample name: KnegJ4k3ic.exe
renamed because original name is a hash value
Original sample name: 19be771df58a8532ef07a64a4029aa4333570a5e33e069ede44338b1357e3ab8.exe
Analysis ID: 1447646
MD5: f4c685e8efa4c2687d38dacfd2db5884
SHA1: 3736518825f316f5fe96edce0620cdb3ca2c4f05
SHA256: 19be771df58a8532ef07a64a4029aa4333570a5e33e069ede44338b1357e3ab8
Tags: exe
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

NetWire
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected NetWire RAT
Yara detected Netwire RAT
Machine Learning detection for sample
PE file has nameless sections
Installs a raw input device (often for capturing keystrokes)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
NetWire RC, NetWire Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.Keylog files are stored on the infected machine in an obfuscated form. The algorithm is: for i in range(0,num_read): buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF
  • APT33
 https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: KnegJ4k3ic.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: KnegJ4k3ic.exe ReversingLabs: Detection: 75%
Source: KnegJ4k3ic.exe Virustotal: Detection: 70% Perma Link
Machine Learning detection for sample
Source: KnegJ4k3ic.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: KnegJ4k3ic.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Installs a raw input device (often for capturing keystrokes)
Source: KnegJ4k3ic.exe Binary or memory string: RegisterRawInputDevices memstr_d9b5f199-b

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: KnegJ4k3ic.exe, type: SAMPLE Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: KnegJ4k3ic.exe, type: SAMPLE Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: KnegJ4k3ic.exe, type: SAMPLE Matched rule: Detects credential stealer byed on many strings that indicate password store access Author: Florian Roth
Source: KnegJ4k3ic.exe, type: SAMPLE Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: KnegJ4k3ic.exe, type: SAMPLE Matched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings
Source: KnegJ4k3ic.exe, type: SAMPLE Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: KnegJ4k3ic.exe, type: SAMPLE Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
PE file has nameless sections
Source: KnegJ4k3ic.exe Static PE information: section name:
Source: KnegJ4k3ic.exe Static PE information: section name:
Uses 32bit PE files
Source: KnegJ4k3ic.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Yara signature match
Source: KnegJ4k3ic.exe, type: SAMPLE Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: KnegJ4k3ic.exe, type: SAMPLE Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: KnegJ4k3ic.exe, type: SAMPLE Matched rule: CredentialStealer_Generic_Backdoor date = 2017-06-07, hash1 = edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c, author = Florian Roth, description = Detects credential stealer byed on many strings that indicate password store access, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: KnegJ4k3ic.exe, type: SAMPLE Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: KnegJ4k3ic.exe, type: SAMPLE Matched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire
Source: KnegJ4k3ic.exe, type: SAMPLE Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: KnegJ4k3ic.exe, type: SAMPLE Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal88.troj.winEXE@0/0@0/0
Source: KnegJ4k3ic.exe ReversingLabs: Detection: 75%
Source: KnegJ4k3ic.exe Virustotal: Detection: 70%
PE file contains an invalid checksum
Source: KnegJ4k3ic.exe Static PE information: real checksum: 0x24fba should be: 0x2157f
PE file contains sections with non-standard names
Source: KnegJ4k3ic.exe Static PE information: section name:
Source: KnegJ4k3ic.exe Static PE information: section name:
Source: KnegJ4k3ic.exe Static PE information: section name: 8
Yara detected Credential Stealer
Source: Yara match File source: KnegJ4k3ic.exe, type: SAMPLE

Remote Access Functionality
barindex
Yara detected NetWire RAT
Source: Yara match File source: KnegJ4k3ic.exe, type: SAMPLE
Yara detected Netwire RAT
Source: Yara match File source: KnegJ4k3ic.exe, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1447646 Sample: KnegJ4k3ic.exe Startdate: 26/05/2024 Architecture: WINDOWS Score: 88 5 Malicious sample detected (through community Yara rule) 2->5 7 Antivirus / Scanner detection for submitted sample 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 4 other signatures 2->11
No contacted IP infos