Windows Analysis Report
BiUwyvgVx6.exe

Overview

General Information

Sample name: BiUwyvgVx6.exe
renamed because original name is a hash value
Original sample name: 4cda545865d04de7de11c1e55d551a53096cbf9efe26bc61fe009695603f1b28.exe
Analysis ID: 1447647
MD5: e477181e703bd428f9346ffe3198e16f
SHA1: ca92071f9c5290450fc13f3c11b3cbca20d7b75b
SHA256: 4cda545865d04de7de11c1e55d551a53096cbf9efe26bc61fe009695603f1b28
Tags: exe
Infos:

Detection

NetWire
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected NetWire RAT
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Detected potential crypto function
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (may stop execution after accessing registry keys)
Found large amount of non-executed APIs
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
NetWire RC, NetWire Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.Keylog files are stored on the infected machine in an obfuscated form. The algorithm is: for i in range(0,num_read): buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF
  • APT33
 https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: BiUwyvgVx6.exe Avira: detected
Antivirus detection for URL or domain
Source: 43.226.229.43:2030 Avira URL Cloud: Label: malware
Found malware configuration
Source: 3.2.BiUwyvgVx6.exe.400000.0.unpack Malware Configuration Extractor: NetWire {"C2 list": ["43.226.229.43:2030"], "Password": "Password", "Host ID": "ECHO", "Mutex": "-", "Install Path": "%AppData%\\Install\\Host.exe", "Startup Name": "NetWire", "ActiveX Key": "-", "KeyLog Directory": "C:\\Users\\Administrator\\AppData\\Roaming\\Logs\\"}
Multi AV Scanner detection for domain / URL
Source: 43.226.229.43:2030 Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for submitted file
Source: BiUwyvgVx6.exe ReversingLabs: Detection: 97%
Source: BiUwyvgVx6.exe Virustotal: Detection: 87% Perma Link
Machine Learning detection for sample
Source: BiUwyvgVx6.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0040C4B7 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegCloseKey,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree, 3_2_0040C4B7
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0040E511 CryptUnprotectData,LocalFree, 3_2_0040E511
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0040EDD6 fopen,malloc,fclose,fread,fclose,CryptUnprotectData,sprintf,strcmp,strcmp, 3_2_0040EDD6
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0040D290 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 3_2_0040D290
Uses 32bit PE files
Source: BiUwyvgVx6.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose, 3_2_00406453
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW, 3_2_0040680D
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW, 3_2_0040753D
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose, 3_2_00413A85
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose, 3_2_0040DB1C
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose, 3_2_00406F83
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose, 3_2_00406390
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA, 3_2_00406084

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 43.226.229.43:2030
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00405811 send,recv, 3_2_00405811
Source: Amcache.hve.16.dr String found in binary or memory: http://upx.sf.net
Source: BiUwyvgVx6.exe String found in binary or memory: http://www.yandex.com
Source: BiUwyvgVx6.exe String found in binary or memory: http://www.yandex.comsocks=

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte, 3_2_00409953
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00411D8C GetSystemMetrics,GetSystemMetrics,GetDesktopWindow,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetDIBits,calloc,GetDIBits,ReleaseDC,DeleteDC,DeleteObject,free, 3_2_00411D8C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte, 3_2_00409953
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte, 3_2_00409953

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: BiUwyvgVx6.exe, type: SAMPLE Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: BiUwyvgVx6.exe, type: SAMPLE Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: BiUwyvgVx6.exe, type: SAMPLE Matched rule: Detects NetWire RAT Author: ditekSHen
Source: 3.2.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 3.2.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 3.2.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects NetWire RAT Author: ditekSHen
Source: 3.0.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 3.0.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 3.0.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects NetWire RAT Author: ditekSHen
Source: 00000003.00000002.1721560085.0000000000423000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 00000003.00000000.1275114632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 00000003.00000002.1721519472.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 00000003.00000000.1275186965.0000000000422000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: Process Memory Space: BiUwyvgVx6.exe PID: 5680, type: MEMORYSTR Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 70D20000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 71CF0000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 72CC0000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 74350000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 778A0000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 73C90000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 75D80000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 75320000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 76180000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 77280000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 74090000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 75890000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 76380000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 77090000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 74190000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 75520000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 75990000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 75BB0000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 767C0000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 768D0000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 77480000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 77620000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 74210000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 742F0000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 755A0000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 75C30000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 76480000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 76950000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 755E0000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Memory allocated: 76990000 page read and write Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00403047 3_2_00403047
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0041D049 3_2_0041D049
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00419463 3_2_00419463
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00415079 3_2_00415079
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00420420 3_2_00420420
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_004208C0 3_2_004208C0
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_004034D3 3_2_004034D3
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00414976 3_2_00414976
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00402E68 3_2_00402E68
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00416619 3_2_00416619
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0040AEC6 3_2_0040AEC6
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00402AFC 3_2_00402AFC
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00415ABF 3_2_00415ABF
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00420F40 3_2_00420F40
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0041FF50 3_2_0041FF50
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0040A728 3_2_0040A728
One or more processes crash
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5680 -s 384
Uses 32bit PE files
Source: BiUwyvgVx6.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Yara signature match
Source: BiUwyvgVx6.exe, type: SAMPLE Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: BiUwyvgVx6.exe, type: SAMPLE Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: BiUwyvgVx6.exe, type: SAMPLE Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT
Source: 3.2.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 3.2.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 3.2.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT
Source: 3.0.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 3.0.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 3.0.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT
Source: 00000003.00000002.1721560085.0000000000423000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 00000003.00000000.1275114632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 00000003.00000002.1721519472.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 00000003.00000000.1275186965.0000000000422000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: Process Memory Space: BiUwyvgVx6.exe PID: 5680, type: MEMORYSTR Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@2/5@0/0
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA, 3_2_00406084
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00402570 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 3_2_00402570
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5680
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\7395c3eb-7e86-4981-bebf-d6808064cf6d Jump to behavior
Source: BiUwyvgVx6.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: BiUwyvgVx6.exe ReversingLabs: Detection: 97%
Source: BiUwyvgVx6.exe Virustotal: Detection: 87%
Source: unknown Process created: C:\Users\user\Desktop\BiUwyvgVx6.exe "C:\Users\user\Desktop\BiUwyvgVx6.exe"
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5680 -s 384
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Section loaded: netutils.dll Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00408417 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,malloc, 3_2_00408417
PE file contains an invalid checksum
Source: BiUwyvgVx6.exe Static PE information: real checksum: 0x2be0d should be: 0x35f11
PE file contains sections with non-standard names
Source: BiUwyvgVx6.exe Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0040DCE9 push ecx; mov dword ptr [esp], 00423976h 3_2_0040DD9F
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0040DCE9 push ebp; mov dword ptr [esp], 0042398Ah 3_2_0040DDD9
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0040DCE9 push edx; mov dword ptr [esp], 00423997h 3_2_0040DDF7
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0040DCE9 push edx; mov dword ptr [esp], esi 3_2_0040E394
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0040A4BC push esi; mov dword ptr [esp], 00423347h 3_2_0040A543
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00409953 push edi; mov dword ptr [esp], 00000091h 3_2_00409980
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00409953 push ebp; mov dword ptr [esp], 00000090h 3_2_0040998D
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00411D8C push edx; mov dword ptr [esp], edi 3_2_00412058
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00409E61 push eax; mov dword ptr [esp], ebx 3_2_00409FDE
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00406E04 push ecx; mov dword ptr [esp], ebx 3_2_00406E69
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0040262F push edx; mov dword ptr [esp], edi 3_2_004027C8
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0040262F push edx; mov dword ptr [esp], edi 3_2_00402815
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0040262F push edx; mov dword ptr [esp], edi 3_2_004029B2
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_004146E1 push eax; mov dword ptr [esp], ebx 3_2_0041470B
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0040970C push eax; mov dword ptr [esp], 0042B4A0h 3_2_004097B9
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe API coverage: 0.6 %
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose, 3_2_00406453
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW, 3_2_0040680D
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW, 3_2_0040753D
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose, 3_2_00413A85
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose, 3_2_0040DB1C
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose, 3_2_00406F83
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose, 3_2_00406390
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA, 3_2_00406084
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_004132E6 GetVersionExA,GetVersionExA,GetSystemInfo,GetSystemMetrics, 3_2_004132E6
Source: Amcache.hve.16.dr Binary or memory string: VMware
Source: Amcache.hve.16.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.16.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.16.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.16.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.16.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.16.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.16.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.16.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.16.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.16.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.16.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.16.dr Binary or memory string: vmci.sys
Source: BiUwyvgVx6.exe, 00000003.00000002.1721788478.000000000068E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
Source: Amcache.hve.16.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.16.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.16.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.16.dr Binary or memory string: VMware20,1
Source: Amcache.hve.16.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.16.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.16.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.16.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.16.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.16.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.16.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.16.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.16.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.16.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.16.dr Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.16.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_00408417 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,malloc, 3_2_00408417
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_004121C0 keybd_event, 3_2_004121C0
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_004121EF SetCursorPos,mouse_event, 3_2_004121EF
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_0040A115 GetLocalTime, 3_2_0040A115
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_004130E8 GetUserNameW,WideCharToMultiByte, 3_2_004130E8
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe Code function: 3_2_004132E6 GetVersionExA,GetVersionExA,GetSystemInfo,GetSystemMetrics, 3_2_004132E6
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.16.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.16.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.16.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.16.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.16.dr Binary or memory string: MsMpEng.exe

Remote Access Functionality
barindex
Yara detected NetWire RAT
Source: Yara match File source: BiUwyvgVx6.exe, type: SAMPLE
Source: Yara match File source: 3.2.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1721560085.0000000000423000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.1275186965.0000000000422000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BiUwyvgVx6.exe PID: 5680, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1447647 Sample: BiUwyvgVx6.exe Startdate: 26/05/2024 Architecture: WINDOWS Score: 100 11 Multi AV Scanner detection for domain / URL 2->11 13 Found malware configuration 2->13 15 Malicious sample detected (through community Yara rule) 2->15 17 6 other signatures 2->17 6 BiUwyvgVx6.exe 2->6         started        process3 signatures4 19 Contains functionality to log keystrokes 6->19 21 Found evasive API chain (may stop execution after checking mutex) 6->21 9 WerFault.exe 21 16 6->9         started        process5
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
43.226.229.43:2030 true
  • 8%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown