Windows Analysis Report
3rnPaaLLdb.exe

Overview

General Information

Sample name: 3rnPaaLLdb.exe
renamed because original name is a hash value
Original sample name: e55d6c6652145fe9b7ae5cc8b9806b259f3ed2e134fb825f3bed7fa8bc25fd6c.exe
Analysis ID: 1447649
MD5: 9096907f595b85c38d86501e1e6392a1
SHA1: 7a0566f02a87eb7fd4ca988fce5e6d4bc1be54ac
SHA256: e55d6c6652145fe9b7ae5cc8b9806b259f3ed2e134fb825f3bed7fa8bc25fd6c
Tags: exeNetWire
Infos:

Detection

NetWire
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected NetWire RAT
Yara detected Netwire RAT
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Detected potential crypto function
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Installs a raw input device (often for capturing keystrokes)
One or more processes crash
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
NetWire RC, NetWire Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.Keylog files are stored on the infected machine in an obfuscated form. The algorithm is: for i in range(0,num_read): buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF
  • APT33
 https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 3rnPaaLLdb.exe Avira: detected
Found malware configuration
Source: 0.2.3rnPaaLLdb.exe.400000.0.unpack Malware Configuration Extractor: NetWire {"C2 list": ["86t7b9br9.ddns.net:8980"], "Password": "4678553478654HJKGHKJGHKJG4543", "Host ID": "HostId-OuEmii", "Mutex": "-", "Install Path": "-", "Startup Name": "-", "ActiveX Key": "-", "KeyLog Directory": "-"}
Multi AV Scanner detection for domain / URL
Source: 86t7b9br9.ddns.net:8980 Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for submitted file
Source: 3rnPaaLLdb.exe ReversingLabs: Detection: 97%
Source: 3rnPaaLLdb.exe Virustotal: Detection: 90% Perma Link
Machine Learning detection for sample
Source: 3rnPaaLLdb.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_0040A07F CryptUnprotectData,LocalFree, 0_2_0040A07F
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_004080D4 RegOpenKeyExA,RegOpenKeyExA,CryptUnprotectData,LocalFree,RegCloseKey,RegEnumKeyExA,RegCloseKey, 0_2_004080D4
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_00408D46 LoadLibraryA,GetProcAddress,GetProcAddress,CryptUnprotectData,strlen, 0_2_00408D46
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_00408971 RegQueryValueExA,CryptUnprotectData,LocalFree, 0_2_00408971
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_004087B6 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_004087B6
Uses 32bit PE files
Source: 3rnPaaLLdb.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_0040D054 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose, 0_2_0040D054
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_0040947B SetErrorMode,FindFirstFileA,strlen,FindNextFileA,FindClose, 0_2_0040947B
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_00404C1F SetErrorMode,FindFirstFileA,FindClose,FindNextFileA, 0_2_00404C1F
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_004045AC SetErrorMode,FindFirstFileA,FindClose,FindNextFileA, 0_2_004045AC
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_00404305 SetErrorMode,FindFirstFileA,FileTimeToSystemTime,FindNextFileA,FindClose, 0_2_00404305
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_00412640 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA, 0_2_00412640

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 86t7b9br9.ddns.net:8980
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_00403877 send,recv,htons,send,recv, 0_2_00403877
Source: Amcache.hve.13.dr String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_0040FD21 GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,GetKeyState,MapVirtualKeyA,GetKeyNameTextA,GetKeyState, 0_2_0040FD21
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_004061D0 GetSystemMetrics,GetSystemMetrics,GetDesktopWindow,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetDIBits,malloc,GetDIBits,ReleaseDC,DeleteDC,DeleteObject, 0_2_004061D0
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_0040FD21 GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,GetKeyState,MapVirtualKeyA,GetKeyNameTextA,GetKeyState, 0_2_0040FD21
Installs a raw input device (often for capturing keystrokes)
Source: 3rnPaaLLdb.exe, 00000000.00000000.1224891151.0000000000413000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: RegisterRawInputDevices memstr_bbf15e62-a
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_0040FD21 GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,GetKeyState,MapVirtualKeyA,GetKeyNameTextA,GetKeyState, 0_2_0040FD21

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3rnPaaLLdb.exe, type: SAMPLE Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 3rnPaaLLdb.exe, type: SAMPLE Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 3rnPaaLLdb.exe, type: SAMPLE Matched rule: Detects credential stealer byed on many strings that indicate password store access Author: Florian Roth
Source: 3rnPaaLLdb.exe, type: SAMPLE Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 3rnPaaLLdb.exe, type: SAMPLE Matched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings
Source: 3rnPaaLLdb.exe, type: SAMPLE Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: 3rnPaaLLdb.exe, type: SAMPLE Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 0.2.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 0.2.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects credential stealer byed on many strings that indicate password store access Author: Florian Roth
Source: 0.2.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0.2.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings
Source: 0.2.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: 0.2.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 0.0.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 0.0.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects credential stealer byed on many strings that indicate password store access Author: Florian Roth
Source: 0.0.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0.0.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings
Source: 0.0.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: 0.0.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.1224891151.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 00000000.00000000.1224891151.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000000.00000000.1224891151.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings
Source: 00000000.00000000.1224891151.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: 00000000.00000000.1224891151.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1576799978.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 00000000.00000002.1576799978.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000000.00000002.1576799978.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: 00000000.00000002.1576763380.0000000000413000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000000.00000000.1224847047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 00000000.00000002.1576742458.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: Process Memory Space: 3rnPaaLLdb.exe PID: 7580, type: MEMORYSTR Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: Process Memory Space: 3rnPaaLLdb.exe PID: 7580, type: MEMORYSTR Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: Process Memory Space: 3rnPaaLLdb.exe PID: 7580, type: MEMORYSTR Matched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings
Source: Process Memory Space: 3rnPaaLLdb.exe PID: 7580, type: MEMORYSTR Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: 3rnPaaLLdb.exe PID: 7580, type: MEMORYSTR Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 70DD0000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 71DA0000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 72D70000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 74200000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 777B0000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 76170000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 73D40000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 751D0000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 76DB0000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 753D0000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 756F0000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 76060000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 76960000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 76A30000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 76BC0000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 76FB0000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 771E0000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 75770000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 76AB0000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 76C40000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 77450000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 775A0000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 76C80000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Memory allocated: 77260000 page read and write Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_0040E4C4 0_2_0040E4C4
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_00411D8F 0_2_00411D8F
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_0040E190 0_2_0040E190
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_00411614 0_2_00411614
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_0040E6A3 0_2_0040E6A3
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_0040EB76 0_2_0040EB76
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_00402BE6 0_2_00402BE6
One or more processes crash
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 396
Uses 32bit PE files
Source: 3rnPaaLLdb.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Yara signature match
Source: 3rnPaaLLdb.exe, type: SAMPLE Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 3rnPaaLLdb.exe, type: SAMPLE Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 3rnPaaLLdb.exe, type: SAMPLE Matched rule: CredentialStealer_Generic_Backdoor date = 2017-06-07, hash1 = edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c, author = Florian Roth, description = Detects credential stealer byed on many strings that indicate password store access, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3rnPaaLLdb.exe, type: SAMPLE Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3rnPaaLLdb.exe, type: SAMPLE Matched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire
Source: 3rnPaaLLdb.exe, type: SAMPLE Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: 3rnPaaLLdb.exe, type: SAMPLE Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 0.2.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 0.2.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: CredentialStealer_Generic_Backdoor date = 2017-06-07, hash1 = edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c, author = Florian Roth, description = Detects credential stealer byed on many strings that indicate password store access, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire
Source: 0.2.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: 0.2.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 0.0.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 0.0.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: CredentialStealer_Generic_Backdoor date = 2017-06-07, hash1 = edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c, author = Florian Roth, description = Detects credential stealer byed on many strings that indicate password store access, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire
Source: 0.0.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: 0.0.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000000.1224891151.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 00000000.00000000.1224891151.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000000.1224891151.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire
Source: 00000000.00000000.1224891151.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: 00000000.00000000.1224891151.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1576799978.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 00000000.00000002.1576799978.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1576799978.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: 00000000.00000002.1576763380.0000000000413000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000000.1224847047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 00000000.00000002.1576742458.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: Process Memory Space: 3rnPaaLLdb.exe PID: 7580, type: MEMORYSTR Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: Process Memory Space: 3rnPaaLLdb.exe PID: 7580, type: MEMORYSTR Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: 3rnPaaLLdb.exe PID: 7580, type: MEMORYSTR Matched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire
Source: Process Memory Space: 3rnPaaLLdb.exe PID: 7580, type: MEMORYSTR Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: Process Memory Space: 3rnPaaLLdb.exe PID: 7580, type: MEMORYSTR Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@2/5@0/0
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_00412640 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA, 0_2_00412640
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_004120BC CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_004120BC
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7580
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\73ae1446-e555-4b34-98b0-f79aa12b068c Jump to behavior
Source: 3rnPaaLLdb.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 3rnPaaLLdb.exe ReversingLabs: Detection: 97%
Source: 3rnPaaLLdb.exe Virustotal: Detection: 90%
Source: unknown Process created: C:\Users\user\Desktop\3rnPaaLLdb.exe "C:\Users\user\Desktop\3rnPaaLLdb.exe"
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 396
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Section loaded: apphelp.dll Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_00408D46 LoadLibraryA,GetProcAddress,GetProcAddress,CryptUnprotectData,strlen, 0_2_00408D46
PE file contains an invalid checksum
Source: 3rnPaaLLdb.exe Static PE information: real checksum: 0x22a50 should be: 0x233df
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_0040491C push edi; mov dword ptr [esp], eax 0_2_004049DB
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_0040FD21 push ecx; mov dword ptr [esp], 00000091h 0_2_0040FD3C
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_0040FD21 push eax; mov dword ptr [esp], esi 0_2_0040FD5C
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_0040D9C2 push ecx; mov dword ptr [esp], ebx 0_2_0040D9EE
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_004061D0 push edx; mov dword ptr [esp], eax 0_2_00406464
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_004049EC push ecx; mov dword ptr [esp], ebx 0_2_00404A1A
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_004111FE push ecx; mov dword ptr [esp], eax 0_2_004113ED
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_00410182 push eax; mov dword ptr [esp], ebx 0_2_004102E2
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_0040FA98 push eax; mov dword ptr [esp], 004186C0h 0_2_0040FB46
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe API coverage: 0.8 %
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_0040D054 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose, 0_2_0040D054
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_0040947B SetErrorMode,FindFirstFileA,strlen,FindNextFileA,FindClose, 0_2_0040947B
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_00404C1F SetErrorMode,FindFirstFileA,FindClose,FindNextFileA, 0_2_00404C1F
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_004045AC SetErrorMode,FindFirstFileA,FindClose,FindNextFileA, 0_2_004045AC
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_00404305 SetErrorMode,FindFirstFileA,FileTimeToSystemTime,FindNextFileA,FindClose, 0_2_00404305
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_00412640 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA, 0_2_00412640
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_0040B8A4 GetVersionExA,GetVersionExA,GetSystemInfo,GetSystemMetrics,RegOpenKeyExA,RegQueryValueExA,RegCloseKey, 0_2_0040B8A4
Source: Amcache.hve.13.dr Binary or memory string: VMware
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.13.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.13.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.13.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.13.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.13.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.13.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.13.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.13.dr Binary or memory string: vmci.sys
Source: Amcache.hve.13.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.13.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.13.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.13.dr Binary or memory string: VMware20,1
Source: Amcache.hve.13.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.13.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.13.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.13.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.13.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.13.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.13.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: 3rnPaaLLdb.exe, 00000000.00000002.1577000229.00000000006BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
Source: Amcache.hve.13.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_00408D46 LoadLibraryA,GetProcAddress,GetProcAddress,CryptUnprotectData,strlen, 0_2_00408D46
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_0040658F keybd_event, 0_2_0040658F
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_004065ED SetCursorPos,mouse_event, 0_2_004065ED
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_0040FC58 GetForegroundWindow,GetLocalTime,GetWindowTextA, 0_2_0040FC58
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_0040B849 getenv,GetUserNameA, 0_2_0040B849
Source: C:\Users\user\Desktop\3rnPaaLLdb.exe Code function: 0_2_0040B8A4 GetVersionExA,GetVersionExA,GetSystemInfo,GetSystemMetrics,RegOpenKeyExA,RegQueryValueExA,RegCloseKey, 0_2_0040B8A4
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.13.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.13.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.13.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.13.dr Binary or memory string: MsMpEng.exe
Yara detected Credential Stealer
Source: Yara match File source: 3rnPaaLLdb.exe, type: SAMPLE
Source: Yara match File source: 0.2.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1224891151.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3rnPaaLLdb.exe PID: 7580, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected NetWire RAT
Source: Yara match File source: 3rnPaaLLdb.exe, type: SAMPLE
Source: Yara match File source: 0.2.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1224891151.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1576763380.0000000000413000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3rnPaaLLdb.exe PID: 7580, type: MEMORYSTR
Yara detected Netwire RAT
Source: Yara match File source: 3rnPaaLLdb.exe, type: SAMPLE
Source: Yara match File source: 0.2.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.3rnPaaLLdb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1224891151.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3rnPaaLLdb.exe PID: 7580, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1447649 Sample: 3rnPaaLLdb.exe Startdate: 26/05/2024 Architecture: WINDOWS Score: 100 11 Multi AV Scanner detection for domain / URL 2->11 13 Found malware configuration 2->13 15 Malicious sample detected (through community Yara rule) 2->15 17 6 other signatures 2->17 6 3rnPaaLLdb.exe 2->6         started        process3 signatures4 19 Contains functionality to log keystrokes 6->19 21 Found evasive API chain (may stop execution after checking mutex) 6->21 9 WerFault.exe 19 16 6->9         started        process5
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
86t7b9br9.ddns.net:8980 true
  • 9%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown