Windows
Analysis Report
KnegJ4k3ic.exe
Overview
General Information
Sample name: | KnegJ4k3ic.exerenamed because original name is a hash value |
Original sample name: | 19be771df58a8532ef07a64a4029aa4333570a5e33e069ede44338b1357e3ab8.exe |
Analysis ID: | 1447646 |
MD5: | f4c685e8efa4c2687d38dacfd2db5884 |
SHA1: | 3736518825f316f5fe96edce0620cdb3ca2c4f05 |
SHA256: | 19be771df58a8532ef07a64a4029aa4333570a5e33e069ede44338b1357e3ab8 |
Tags: | exe |
Infos: | |
Errors
|
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
NetWire RC, NetWire | Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.Keylog files are stored on the infected machine in an obfuscated form. The algorithm is: for i in range(0,num_read): buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_NetWire_1 | Yara detected NetWire RAT | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_Netwire | Yara detected Netwire RAT | Joe Security | ||
Windows_Trojan_Netwire_6a7df287 | unknown | unknown |
| |
Windows_Trojan_Netwire_1b43df38 | unknown | unknown |
| |
Click to see the 5 entries |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary or memory string: | memstr_d9b5f199-b |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: |
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | Direct Volume Access | 11 Input Capture | System Service Discovery | Remote Services | 11 Input Capture | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
75% | ReversingLabs | Win32.Trojan.Ulise | ||
71% | Virustotal | Browse | ||
100% | Avira | TR/Crypt.XPACK.Gen | ||
100% | Joe Sandbox ML |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1447646 |
Start date and time: | 2024-05-26 09:55:14 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 1m 45s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 1 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | KnegJ4k3ic.exerenamed because original name is a hash value |
Original Sample Name: | 19be771df58a8532ef07a64a4029aa4333570a5e33e069ede44338b1357e3ab8.exe |
Detection: | MAL |
Classification: | mal88.troj.winEXE@0/0@0/0 |
Cookbook Comments: |
|
- No process behavior to analyse as no analysis process or sample was found
- Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.
- Exclude process from analysis (whitelisted): dllhost.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com
File type: | |
Entropy (8bit): | 5.564207499846026 |
TrID: |
|
File name: | KnegJ4k3ic.exe |
File size: | 122'880 bytes |
MD5: | f4c685e8efa4c2687d38dacfd2db5884 |
SHA1: | 3736518825f316f5fe96edce0620cdb3ca2c4f05 |
SHA256: | 19be771df58a8532ef07a64a4029aa4333570a5e33e069ede44338b1357e3ab8 |
SHA512: | ccd7ac26823f9e6c590eb9d1898be410abda08fdc097f414f62bae1d09c67d734200a04a48335539bea54351448d820870c0b8da86b6e76361ea6fc3de251c93 |
SSDEEP: | 3072:Gr/zIEyQIrPP+V4MrdN/086ibgqGWkSH4:GrsEyQUPP0xFsYN4 |
TLSH: | 59C3E719FA0BE0F2EE0E1D7161CBF6AF4B786930D824CE51DF940D42EA53D636219B94 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......V...............8.........d...!.......0....@..................................O........ ............................ |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x4021da |
Entrypoint Section: | |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
DLL Characteristics: | NX_COMPAT |
Time Stamp: | 0x560EA2E9 [Fri Oct 2 15:29:45 2015 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | eaf9915d2b5730c3717ea003bd93404a |
Instruction |
---|
push ebp |
mov eax, 0000103Ch |
push edi |
push esi |
push ebx |
call 00007FD568E45461h |
sub esp, eax |
call 00007FD568E3675Ah |
lea ebp, dword ptr [esp+28h] |
call 00007FD568E4254Dh |
lea ebx, dword ptr [esp+2Ch] |
call 00007FD568E41CA0h |
call 00007FD568E3FBEBh |
call 00007FD568E3F349h |
call 00007FD568E3F7CDh |
mov dword ptr [esp+2Ch], FFFFFFFFh |
mov eax, dword ptr [esp+2Ch] |
mov dword ptr [esp+08h], 00000004h |
mov dword ptr [esp+04h], ebp |
mov dword ptr [esp+28h], 00000000h |
mov dword ptr [esp], eax |
call 00007FD568E36DD9h |
test al, al |
je 00007FD568E34E9Fh |
mov edi, dword ptr [esp+28h] |
mov esi, dword ptr [esp+2Ch] |
mov dword ptr [esp+04h], edi |
mov dword ptr [esp], esi |
call 00007FD568E34D37h |
test al, al |
je 00007FD568E34DB2h |
lea eax, dword ptr [esp+30h] |
mov dword ptr [esp+08h], edi |
mov dword ptr [esp+04h], eax |
mov dword ptr [esp], esi |
call 00007FD568E36DA5h |
test al, al |
je 00007FD568E34E5Ah |
mov esi, dword ptr [esp+28h] |
cmp esi, 00000FFFh |
jnbe 00007FD568E34DF7h |
mov byte ptr [esp+esi+30h], 00000000h |
movzx edx, byte ptr [esp+30h] |
mov edi, dword ptr [esp+2Ch] |
mov dword ptr [esp+04h], edx |
mov dword ptr [esp], edi |
mov dword ptr [esp+1Ch], edx |
call 00007FD568E34D18h |
mov edx, dword ptr [esp+1Ch] |
test al, al |
jne 00007FD568E34E0Bh |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1c000 | 0x10fc | |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1c30c | 0x258 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
0x0 | 0x4 | 0x1e000 | 7fc15ff8b7bea22eb81a87935900499d | False | 0.42244944852941174 | data | 5.587899935128232 | IMAGE_SCN_LNK_COMDAT | |
0x10 | 0x0 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | ||
8 | 0x6400 | 0x2e00 | 0x21da | f28db5a28d857ebe30a1bc2f4ee6fcdc | False | 0.5346180475421186 | data | 6.00062430488322 | IMAGE_SCN_LNK_INFO |
DLL | Import |
---|---|
ADVAPI32.DLL | CryptAcquireContextA, CryptCreateHash, CryptDestroyHash, CryptGetHashParam, CryptHashData, CryptReleaseContext, GetUserNameA, RegCloseKey, RegCreateKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumKeyExA, RegEnumValueA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA |
CRYPT32.DLL | CryptUnprotectData |
GDI32.dll | BitBlt, CreateCompatibleBitmap, CreateCompatibleDC, DeleteDC, DeleteObject, GetDIBits, SelectObject |
KERNEL32.dll | CloseHandle, CreateDirectoryA, CreateFileA, CreateMutexA, CreatePipe, CreateProcessA, CreateToolhelp32Snapshot, DeleteFileA, EnterCriticalSection, ExitProcess, FileTimeToSystemTime, FindClose, FindFirstFileA, FindNextFileA, FreeLibrary, GetCommandLineA, GetComputerNameA, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceExA, GetDriveTypeA, GetFileAttributesA, GetFileAttributesExA, GetLastError, GetLocalTime, GetLogicalDriveStringsA, GetModuleFileNameA, GetProcAddress, GetProcessTimes, GetStartupInfoA, GetSystemInfo, GetSystemTime, GetTickCount, GetVersionExA, GetVolumeInformationA, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, LocalFree, MoveFileA, OpenProcess, PeekNamedPipe, Process32First, Process32Next, ReadFile, ReleaseMutex, ResumeThread, SetErrorMode, SetFileAttributesA, SetFilePointer, Sleep, TerminateProcess, WideCharToMultiByte, WriteFile |
msvcrt.dll | _beginthreadex, _filelengthi64, _vscprintf, _vsnprintf, fclose, fflush, fgetpos, fgets, fopen, fread, free, fsetpos, fwrite, getenv, malloc, realloc, strlen |
SHELL32.DLL | SHGetPathFromIDListA, SHGetSpecialFolderLocation |
USER32.dll | CreateWindowExA, DefWindowProcA, DispatchMessageA, EnumWindows, GetDC, GetDesktopWindow, GetForegroundWindow, GetKeyNameTextA, GetKeyState, GetKeyboardState, GetMessageA, GetSystemMetrics, GetWindowTextA, IsWindowVisible, MapVirtualKeyA, PostQuitMessage, RegisterClassExA, ReleaseDC, SendMessageA, SetCursorPos, SetWindowTextA, ShowWindow, ToAscii, TranslateMessage, keybd_event, mouse_event |
WS2_32.dll | WSACleanup, WSAGetLastError, WSAIoctl, WSAStartup, __WSAFDIsSet, closesocket, connect, gethostbyname, gethostname, htons, inet_ntoa, ioctlsocket, ntohs, recv, select, send, setsockopt, shutdown, socket |