Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KnegJ4k3ic.exe

Overview

General Information

Sample name:KnegJ4k3ic.exe
renamed because original name is a hash value
Original sample name:19be771df58a8532ef07a64a4029aa4333570a5e33e069ede44338b1357e3ab8.exe
Analysis ID:1447646
MD5:f4c685e8efa4c2687d38dacfd2db5884
SHA1:3736518825f316f5fe96edce0620cdb3ca2c4f05
SHA256:19be771df58a8532ef07a64a4029aa4333570a5e33e069ede44338b1357e3ab8
Tags:exe
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

NetWire
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected NetWire RAT
Yara detected Netwire RAT
Machine Learning detection for sample
PE file has nameless sections
Installs a raw input device (often for capturing keystrokes)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NetWire RC, NetWireNetwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.Keylog files are stored on the infected machine in an obfuscated form. The algorithm is: for i in range(0,num_read): buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF
  • APT33
https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
KnegJ4k3ic.exeJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
    KnegJ4k3ic.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      KnegJ4k3ic.exeJoeSecurity_NetwireYara detected Netwire RATJoe Security
        KnegJ4k3ic.exeWindows_Trojan_Netwire_6a7df287unknownunknown
        • 0x532d:$a: 0F B6 74 0C 10 89 CF 29 C7 F7 C6 DF 00 00 00 74 09 41 89 F3 88 5C
        KnegJ4k3ic.exeWindows_Trojan_Netwire_1b43df38unknownunknown
        • 0x14674:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d]
        • 0x142b6:$a2: \Login Data
        • 0x142e1:$a2: \Login Data
        • 0x1430e:$a2: \Login Data
        Click to see the 5 entries

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: KnegJ4k3ic.exeAvira: detected
        Multi AV Scanner detection for submitted file
        Source: KnegJ4k3ic.exeReversingLabs: Detection: 75%
        Source: KnegJ4k3ic.exeVirustotal: Detection: 70%Perma Link
        Machine Learning detection for sample
        Source: KnegJ4k3ic.exeJoe Sandbox ML: detected
        Source: KnegJ4k3ic.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
        Source: KnegJ4k3ic.exeBinary or memory string: RegisterRawInputDevicesmemstr_d9b5f199-b

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: KnegJ4k3ic.exe, type: SAMPLEMatched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
        Source: KnegJ4k3ic.exe, type: SAMPLEMatched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
        Source: KnegJ4k3ic.exe, type: SAMPLEMatched rule: Detects credential stealer byed on many strings that indicate password store access Author: Florian Roth
        Source: KnegJ4k3ic.exe, type: SAMPLEMatched rule: Detects unspecified malware sample Author: Florian Roth
        Source: KnegJ4k3ic.exe, type: SAMPLEMatched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings
        Source: KnegJ4k3ic.exe, type: SAMPLEMatched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
        Source: KnegJ4k3ic.exe, type: SAMPLEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
        PE file has nameless sections
        Source: KnegJ4k3ic.exeStatic PE information: section name:
        Source: KnegJ4k3ic.exeStatic PE information: section name:
        Source: KnegJ4k3ic.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
        Source: KnegJ4k3ic.exe, type: SAMPLEMatched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
        Source: KnegJ4k3ic.exe, type: SAMPLEMatched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
        Source: KnegJ4k3ic.exe, type: SAMPLEMatched rule: CredentialStealer_Generic_Backdoor date = 2017-06-07, hash1 = edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c, author = Florian Roth, description = Detects credential stealer byed on many strings that indicate password store access, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: KnegJ4k3ic.exe, type: SAMPLEMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: KnegJ4k3ic.exe, type: SAMPLEMatched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire
        Source: KnegJ4k3ic.exe, type: SAMPLEMatched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
        Source: KnegJ4k3ic.exe, type: SAMPLEMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
        Source: classification engineClassification label: mal88.troj.winEXE@0/0@0/0
        Source: KnegJ4k3ic.exeReversingLabs: Detection: 75%
        Source: KnegJ4k3ic.exeVirustotal: Detection: 70%
        Source: KnegJ4k3ic.exeStatic PE information: real checksum: 0x24fba should be: 0x2157f
        Source: KnegJ4k3ic.exeStatic PE information: section name:
        Source: KnegJ4k3ic.exeStatic PE information: section name:
        Source: KnegJ4k3ic.exeStatic PE information: section name: 8
        Source: Yara matchFile source: KnegJ4k3ic.exe, type: SAMPLE

        Remote Access Functionality

        barindex
        Yara detected NetWire RAT
        Source: Yara matchFile source: KnegJ4k3ic.exe, type: SAMPLE
        Yara detected Netwire RAT
        Source: Yara matchFile source: KnegJ4k3ic.exe, type: SAMPLE

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access11
        Input Capture        		System Service DiscoveryRemote Services11
        Input Capture        		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        KnegJ4k3ic.exe75%ReversingLabsWin32.Trojan.Ulise
        KnegJ4k3ic.exe71%VirustotalBrowse
        KnegJ4k3ic.exe100%AviraTR/Crypt.XPACK.Gen
        KnegJ4k3ic.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        No contacted domains info

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1447646
        Start date and time:2024-05-26 09:55:14 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 1m 45s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:1
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:KnegJ4k3ic.exe
        renamed because original name is a hash value
        Original Sample Name:19be771df58a8532ef07a64a4029aa4333570a5e33e069ede44338b1357e3ab8.exe
        Detection:MAL
        Classification:mal88.troj.winEXE@0/0@0/0
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Unable to launch sample, stop analysis

        Errors

        • No process behavior to analyse as no analysis process or sample was found
        • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe
        • Excluded domains from analysis (whitelisted): client.wns.windows.com

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Entropy (8bit):5.564207499846026
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.94%
        • Win16/32 Executable Delphi generic (2074/23) 0.02%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:KnegJ4k3ic.exe
        File size:122'880 bytes
        MD5:f4c685e8efa4c2687d38dacfd2db5884
        SHA1:3736518825f316f5fe96edce0620cdb3ca2c4f05
        SHA256:19be771df58a8532ef07a64a4029aa4333570a5e33e069ede44338b1357e3ab8
        SHA512:ccd7ac26823f9e6c590eb9d1898be410abda08fdc097f414f62bae1d09c67d734200a04a48335539bea54351448d820870c0b8da86b6e76361ea6fc3de251c93
        SSDEEP:3072:Gr/zIEyQIrPP+V4MrdN/086ibgqGWkSH4:GrsEyQUPP0xFsYN4
        TLSH:59C3E719FA0BE0F2EE0E1D7161CBF6AF4B786930D824CE51DF940D42EA53D636219B94
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......V...............8.........d...!.......0....@..................................O........ ............................

        File Icon

        Icon Hash:00928e8e8686b000

        Static PE Info

        General

        Entrypoint:0x4021da
        Entrypoint Section:
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
        DLL Characteristics:NX_COMPAT
        Time Stamp:0x560EA2E9 [Fri Oct 2 15:29:45 2015 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:eaf9915d2b5730c3717ea003bd93404a

        Entrypoint Preview

        Instruction
        push ebp
        mov eax, 0000103Ch
        push edi
        push esi
        push ebx
        call 00007FD568E45461h
        sub esp, eax
        call 00007FD568E3675Ah
        lea ebp, dword ptr [esp+28h]
        call 00007FD568E4254Dh
        lea ebx, dword ptr [esp+2Ch]
        call 00007FD568E41CA0h
        call 00007FD568E3FBEBh
        call 00007FD568E3F349h
        call 00007FD568E3F7CDh
        mov dword ptr [esp+2Ch], FFFFFFFFh
        mov eax, dword ptr [esp+2Ch]
        mov dword ptr [esp+08h], 00000004h
        mov dword ptr [esp+04h], ebp
        mov dword ptr [esp+28h], 00000000h
        mov dword ptr [esp], eax
        call 00007FD568E36DD9h
        test al, al
        je 00007FD568E34E9Fh
        mov edi, dword ptr [esp+28h]
        mov esi, dword ptr [esp+2Ch]
        mov dword ptr [esp+04h], edi
        mov dword ptr [esp], esi
        call 00007FD568E34D37h
        test al, al
        je 00007FD568E34DB2h
        lea eax, dword ptr [esp+30h]
        mov dword ptr [esp+08h], edi
        mov dword ptr [esp+04h], eax
        mov dword ptr [esp], esi
        call 00007FD568E36DA5h
        test al, al
        je 00007FD568E34E5Ah
        mov esi, dword ptr [esp+28h]
        cmp esi, 00000FFFh
        jnbe 00007FD568E34DF7h
        mov byte ptr [esp+esi+30h], 00000000h
        movzx edx, byte ptr [esp+30h]
        mov edi, dword ptr [esp+2Ch]
        mov dword ptr [esp+04h], edx
        mov dword ptr [esp], edi
        mov dword ptr [esp+1Ch], edx
        call 00007FD568E34D18h
        mov edx, dword ptr [esp+1Ch]
        test al, al
        jne 00007FD568E34E0Bh

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x1c0000x10fc
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x1c30c0x258
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        0x00x40x1e0007fc15ff8b7bea22eb81a87935900499dFalse0.42244944852941174data5.587899935128232IMAGE_SCN_LNK_COMDAT
        0x100x00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0
        80x64000x2e000x21daf28db5a28d857ebe30a1bc2f4ee6fcdcFalse0.5346180475421186data6.00062430488322IMAGE_SCN_LNK_INFO

        Imports

        DLLImport
        ADVAPI32.DLLCryptAcquireContextA, CryptCreateHash, CryptDestroyHash, CryptGetHashParam, CryptHashData, CryptReleaseContext, GetUserNameA, RegCloseKey, RegCreateKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumKeyExA, RegEnumValueA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA
        CRYPT32.DLLCryptUnprotectData
        GDI32.dllBitBlt, CreateCompatibleBitmap, CreateCompatibleDC, DeleteDC, DeleteObject, GetDIBits, SelectObject
        KERNEL32.dllCloseHandle, CreateDirectoryA, CreateFileA, CreateMutexA, CreatePipe, CreateProcessA, CreateToolhelp32Snapshot, DeleteFileA, EnterCriticalSection, ExitProcess, FileTimeToSystemTime, FindClose, FindFirstFileA, FindNextFileA, FreeLibrary, GetCommandLineA, GetComputerNameA, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceExA, GetDriveTypeA, GetFileAttributesA, GetFileAttributesExA, GetLastError, GetLocalTime, GetLogicalDriveStringsA, GetModuleFileNameA, GetProcAddress, GetProcessTimes, GetStartupInfoA, GetSystemInfo, GetSystemTime, GetTickCount, GetVersionExA, GetVolumeInformationA, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, LocalFree, MoveFileA, OpenProcess, PeekNamedPipe, Process32First, Process32Next, ReadFile, ReleaseMutex, ResumeThread, SetErrorMode, SetFileAttributesA, SetFilePointer, Sleep, TerminateProcess, WideCharToMultiByte, WriteFile
        msvcrt.dll_beginthreadex, _filelengthi64, _vscprintf, _vsnprintf, fclose, fflush, fgetpos, fgets, fopen, fread, free, fsetpos, fwrite, getenv, malloc, realloc, strlen
        SHELL32.DLLSHGetPathFromIDListA, SHGetSpecialFolderLocation
        USER32.dllCreateWindowExA, DefWindowProcA, DispatchMessageA, EnumWindows, GetDC, GetDesktopWindow, GetForegroundWindow, GetKeyNameTextA, GetKeyState, GetKeyboardState, GetMessageA, GetSystemMetrics, GetWindowTextA, IsWindowVisible, MapVirtualKeyA, PostQuitMessage, RegisterClassExA, ReleaseDC, SendMessageA, SetCursorPos, SetWindowTextA, ShowWindow, ToAscii, TranslateMessage, keybd_event, mouse_event
        WS2_32.dllWSACleanup, WSAGetLastError, WSAIoctl, WSAStartup, __WSAFDIsSet, closesocket, connect, gethostbyname, gethostname, htons, inet_ntoa, ioctlsocket, ntohs, recv, select, send, setsockopt, shutdown, socket

        Network Behavior

        No network behavior found

        Statistics

        No statistics

        System Behavior

        No system behavior

        Disassembly

        No disassembly