Analysis Report · CAPE Sandbox

Detection(s):

Analysis Details

Category	Package	Started	Completed	Duration	Logs
FILE	exe	2026-04-24 23:46:00	2026-04-24 23:51:29	329s
Reports	JSON

Analysis Log

2026-03-05 20:34:42,507 [root] INFO: Date set to: 20260424T23:47:06, timeout set to: 200
2026-04-24 23:47:06,546 [root] DEBUG: Starting analyzer from: C:\drl3__ia
2026-04-24 23:47:06,624 [root] DEBUG: Storing results at: C:\POQtMo
2026-04-24 23:47:06,655 [root] DEBUG: Pipe server name: \\.\PIPE\zweUGz
2026-04-24 23:47:06,671 [root] DEBUG: Python path: C:\Python310
2026-04-24 23:47:06,671 [root] INFO: analysis running as an admin
2026-04-24 23:47:06,686 [root] INFO: analysis package specified: "exe"
2026-04-24 23:47:06,686 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2026-04-24 23:47:06,733 [root] DEBUG: imported analysis package "exe"
2026-04-24 23:47:06,749 [root] DEBUG: initializing analysis package "exe"...
2026-04-24 23:47:06,749 [lib.common.common] INFO: wrapping
2026-04-24 23:47:06,749 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation
2026-04-24 23:47:06,749 [root] DEBUG: New location of moved file: C:\Users\cape\AppData\Local\Temp\d98322a279a554b9c24f.exe
2026-04-24 23:47:06,749 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2026-04-24 23:47:06,749 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2026-04-24 23:47:06,749 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2026-04-24 23:47:06,749 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2026-04-24 23:47:06,890 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2026-04-24 23:47:07,061 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2026-04-24 23:47:07,077 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2026-04-24 23:47:07,171 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2026-04-24 23:47:07,264 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2026-04-24 23:47:07,483 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2026-04-24 23:47:07,608 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2026-04-24 23:47:08,655 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance
2026-04-24 23:47:08,655 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2026-04-24 23:47:08,655 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2026-04-24 23:47:08,655 [root] DEBUG: Initialized auxiliary module "Browser"
2026-04-24 23:47:08,655 [root] DEBUG: attempting to configure 'Browser' from data
2026-04-24 23:47:08,655 [root] DEBUG: module Browser does not support data configuration, ignoring
2026-04-24 23:47:08,655 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2026-04-24 23:47:08,671 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2026-04-24 23:47:08,671 [root] DEBUG: Initialized auxiliary module "DigiSig"
2026-04-24 23:47:08,671 [root] DEBUG: attempting to configure 'DigiSig' from data
2026-04-24 23:47:08,671 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2026-04-24 23:47:08,671 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2026-04-24 23:47:08,671 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2026-04-24 23:47:09,718 [modules.auxiliary.digisig] DEBUG: File is not signed
2026-04-24 23:47:09,718 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2026-04-24 23:47:09,734 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2026-04-24 23:47:09,734 [root] DEBUG: Initialized auxiliary module "Disguise"
2026-04-24 23:47:09,734 [root] DEBUG: attempting to configure 'Disguise' from data
2026-04-24 23:47:09,734 [root] DEBUG: module Disguise does not support data configuration, ignoring
2026-04-24 23:47:09,734 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2026-04-24 23:47:09,780 [modules.auxiliary.disguise] INFO: Disguising GUID to fe8205b5-41a2-4b03-b3ed-853a192d9a6c
2026-04-24 23:47:09,780 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2026-04-24 23:47:09,780 [root] DEBUG: Initialized auxiliary module "Human"
2026-04-24 23:47:09,780 [root] DEBUG: attempting to configure 'Human' from data
2026-04-24 23:47:09,796 [root] DEBUG: module Human does not support data configuration, ignoring
2026-04-24 23:47:09,796 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2026-04-24 23:47:09,812 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2026-04-24 23:47:09,812 [root] DEBUG: Initialized auxiliary module "Screenshots"
2026-04-24 23:47:09,812 [root] DEBUG: attempting to configure 'Screenshots' from data
2026-04-24 23:47:09,812 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2026-04-24 23:47:09,812 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2026-04-24 23:47:09,843 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2026-04-24 23:47:09,843 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2026-04-24 23:47:09,843 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2026-04-24 23:47:09,843 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2026-04-24 23:47:09,843 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2026-04-24 23:47:09,858 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 644
2026-04-24 23:47:09,889 [lib.api.process] INFO: Monitor config for <Process 644 lsass.exe>: C:\drl3__ia\dll\644.ini
2026-04-24 23:47:09,905 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2026-04-24 23:47:10,140 [lib.api.process] INFO: 64-bit DLL to inject is C:\drl3__ia\dll\kafOlX.dll, loader C:\drl3__ia\bin\StgptPYK.exe
2026-04-24 23:47:10,265 [root] DEBUG: Loader: Injecting process 644 with C:\drl3__ia\dll\kafOlX.dll.
2026-04-24 23:47:10,796 [root] DEBUG: 644: Python path set to 'C:\Python310'.
2026-04-24 23:47:10,812 [root] DEBUG: 644: Disabling sleep skipping.
2026-04-24 23:47:10,812 [root] DEBUG: 644: TLS secret dump mode enabled.
2026-04-24 23:47:11,233 [root] DEBUG: 644: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500
2026-04-24 23:47:11,233 [root] DEBUG: 644: Monitor initialised: 64-bit capemon loaded in process 644 at 0x00007FFEABE00000, thread 3688, image base 0x00007FF7C23E0000, stack from 0x0000008E4CB71000-0x0000008E4CB80000
2026-04-24 23:47:11,249 [root] DEBUG: 644: Commandline: C:\Windows\system32\lsass.exe
2026-04-24 23:47:11,311 [root] DEBUG: 644: Hooked 5 out of 5 functions
2026-04-24 23:47:11,327 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2026-04-24 23:47:11,327 [root] DEBUG: Successfully injected DLL C:\drl3__ia\dll\kafOlX.dll.
2026-04-24 23:47:11,811 [root] DEBUG: 644: TLS 1.2 secrets logged to: C:\POQtMo\tlsdump\tlsdump.log
2026-04-24 23:47:16,671 [lib.api.process] INFO: Injected into 64-bit <Process 644 lsass.exe>
2026-04-24 23:47:16,671 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2026-04-24 23:47:51,280 [root] INFO: Restarting WMI Service
2026-04-24 23:47:53,390 [root] DEBUG: package modules.packages.exe does not support configure, ignoring
2026-04-24 23:47:53,390 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'
2026-04-24 23:47:53,390 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation
2026-04-24 23:47:53,906 [lib.api.process] INFO: Successfully executed process from path "C:\Users\cape\AppData\Local\Temp\d98322a279a554b9c24f.exe" with arguments "" with pid 6328
2026-04-24 23:47:53,906 [lib.api.process] INFO: Monitor config for <Process 6328 d98322a279a554b9c24f.exe>: C:\drl3__ia\dll\6328.ini
2026-04-24 23:47:53,921 [lib.api.process] INFO: 32-bit DLL to inject is C:\drl3__ia\dll\WjHubhVw.dll, loader C:\drl3__ia\bin\HNOqFTP.exe
2026-04-24 23:47:54,374 [root] DEBUG: Loader: Injecting process 6328 (thread 4384) with C:\drl3__ia\dll\WjHubhVw.dll.
2026-04-24 23:47:54,515 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-24 23:47:54,530 [root] DEBUG: Successfully injected DLL C:\drl3__ia\dll\WjHubhVw.dll.
2026-04-24 23:47:54,530 [lib.api.process] INFO: Injected into 32-bit <Process 6328 d98322a279a554b9c24f.exe>
2026-04-24 23:47:56,561 [lib.api.process] INFO: Successfully resumed <Process 6328 d98322a279a554b9c24f.exe>
2026-04-24 23:47:57,124 [root] DEBUG: 6328: Python path set to 'C:\Python310'.
2026-04-24 23:47:57,186 [root] DEBUG: 6328: Disabling sleep skipping.
2026-04-24 23:47:57,186 [root] DEBUG: 6328: Dropped file limit defaulting to 100.
2026-04-24 23:47:57,218 [root] DEBUG: 6328: YaraInit: Compiled 44 rule files
2026-04-24 23:47:57,233 [root] DEBUG: 6328: YaraInit: Compiled rules saved to file C:\drl3__ia\data\yara\capemon.yac
2026-04-24 23:47:57,233 [root] DEBUG: 6328: YaraScan: Scanning 0x00400000, size 0x24dea
2026-04-24 23:47:57,233 [root] DEBUG: 6328: Monitor initialised: 32-bit capemon loaded in process 6328 at 0x73f00000, thread 4384, image base 0x400000, stack from 0x622000-0x630000
2026-04-24 23:47:57,233 [root] DEBUG: 6328: Commandline: "C:\Users\cape\AppData\Local\Temp\d98322a279a554b9c24f.exe"
2026-04-24 23:47:58,093 [root] DEBUG: 6328: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress
2026-04-24 23:47:58,171 [root] DEBUG: 6328: hook_api: Warning - SetWindowLongW export address 0x75D45420 differs from GetProcAddress -> 0x750E59E0 (apphelp.dll::0xff3d59e0)
2026-04-24 23:47:58,186 [root] DEBUG: 6328: hook_api: Warning - EnumDisplayDevicesA export address 0x75D395A0 differs from GetProcAddress -> 0x750E6780 (apphelp.dll::0xff3d6780)
2026-04-24 23:47:58,186 [root] DEBUG: 6328: hook_api: Warning - EnumDisplayDevicesW export address 0x75D4FB70 differs from GetProcAddress -> 0x7510E4D0 (apphelp.dll::0xff3fe4d0)
2026-04-24 23:47:58,405 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-24 23:47:58,421 [root] DEBUG: 6328: set_hooks: Unable to hook GetCommandLineA
2026-04-24 23:47:58,421 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-24 23:47:58,437 [root] DEBUG: 6328: set_hooks: Unable to hook GetCommandLineW
2026-04-24 23:47:58,968 [root] DEBUG: 6328: Hooked 630 out of 632 functions
2026-04-24 23:47:58,968 [root] DEBUG: 6328: Syscall hook installed, syscall logging level 1
2026-04-24 23:47:58,984 [root] DEBUG: 6328: RestoreHeaders: Restored original import table.
2026-04-24 23:47:58,999 [root] INFO: Loaded monitor into process with pid 6328
2026-04-24 23:47:58,999 [root] DEBUG: 6328: caller_dispatch: Added region at 0x00400000 to tracked regions list (ws2_32::WSAStartup returns to 0x004068CA, thread 4384).
2026-04-24 23:47:59,015 [root] DEBUG: 6328: YaraScan: Scanning 0x00400000, size 0x24dea
2026-04-24 23:47:59,015 [root] DEBUG: 6328: ProcessImageBase: Main module image at 0x00400000 unmodified (entropy change 0.000000e+00)
2026-04-24 23:47:59,077 [root] DEBUG: 6328: DLL loaded at 0x745D0000: C:\Windows\system32\uxtheme (0x74000 bytes).
2026-04-24 23:47:59,202 [root] DEBUG: 6328: DLL loaded at 0x73EE0000: C:\Windows\system32\napinsp (0x11000 bytes).
2026-04-24 23:47:59,452 [root] DEBUG: 6328: DLL loaded at 0x73EC0000: C:\Windows\system32\pnrpnsp (0x16000 bytes).
2026-04-24 23:47:59,530 [root] DEBUG: 6328: DLL loaded at 0x73EB0000: C:\Windows\system32\wshbth (0x10000 bytes).
2026-04-24 23:47:59,546 [root] DEBUG: 6328: DLL loaded at 0x74BB0000: C:\Windows\SYSTEM32\IPHLPAPI (0x32000 bytes).
2026-04-24 23:47:59,546 [root] DEBUG: 6328: DLL loaded at 0x73E90000: C:\Windows\system32\NLAapi (0x16000 bytes).
2026-04-24 23:47:59,577 [root] DEBUG: 6328: DLL loaded at 0x747C0000: C:\Windows\System32\mswsock (0x52000 bytes).
2026-04-24 23:47:59,952 [root] DEBUG: 6328: DLL loaded at 0x73E00000: C:\Windows\SYSTEM32\DNSAPI (0x90000 bytes).
2026-04-24 23:48:00,046 [root] DEBUG: 6328: DLL loaded at 0x77E20000: C:\Windows\System32\NSI (0x7000 bytes).
2026-04-24 23:48:00,202 [root] DEBUG: 6328: DLL loaded at 0x73DF0000: C:\Windows\System32\winrnr (0xe000 bytes).
2026-04-24 23:48:01,077 [root] DEBUG: 6328: DLL loaded at 0x73D90000: C:\Windows\System32\fwpuclnt (0x59000 bytes).
2026-04-24 23:48:01,687 [root] DEBUG: 6328: DLL loaded at 0x73D80000: C:\Windows\System32\rasadhlp (0x8000 bytes).
2026-04-24 23:51:16,831 [root] INFO: Analysis timeout hit, terminating analysis
2026-04-24 23:51:16,831 [lib.api.process] INFO: Terminate event set for <Process 6328 d98322a279a554b9c24f.exe>
2026-04-24 23:51:16,831 [root] DEBUG: 6328: Terminate Event: Attempting to dump process 6328
2026-04-24 23:51:16,847 [root] DEBUG: 6328: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-24 23:51:16,847 [lib.api.process] INFO: Termination confirmed for <Process 6328 d98322a279a554b9c24f.exe>
2026-04-24 23:51:16,862 [root] INFO: Terminate event set for process 6328
2026-04-24 23:51:16,862 [root] INFO: Created shutdown mutex
2026-04-24 23:51:16,862 [root] DEBUG: 6328: Terminate Event: monitor shutdown complete for process 6328
2026-04-24 23:51:17,878 [root] INFO: Shutting down package
2026-04-24 23:51:17,878 [root] INFO: Stopping auxiliary modules
2026-04-24 23:51:17,878 [root] INFO: Stopping auxiliary module: Browser
2026-04-24 23:51:17,878 [root] INFO: Stopping auxiliary module: Human
2026-04-24 23:51:18,675 [root] INFO: Stopping auxiliary module: Screenshots
2026-04-24 23:51:19,362 [root] INFO: Finishing auxiliary modules
2026-04-24 23:51:19,362 [root] INFO: Shutting down pipe server and dumping dropped files
2026-04-24 23:51:19,378 [root] WARNING: Folder at path "C:\POQtMo\debugger" does not exist, skipping
2026-04-24 23:51:19,378 [root] INFO: Uploading files at path "C:\POQtMo\tlsdump"
2026-04-24 23:51:19,378 [lib.common.results] INFO: Uploading file C:\POQtMo\tlsdump\tlsdump.log to tlsdump\tlsdump.log; Size is 26852; Max size: 100000000
2026-04-24 23:51:19,394 [root] INFO: Analysis completed

Process Log

Pre-Script Log

During-Script Log

Machine Information

Name	Label	Manager	Started On	Shutdown On
win10x64	win10x64	KVM	2026-04-24 23:46:00	2026-04-24 23:51:27

File Details

Show Parent File

Parent File Info

File Information

File Name	38b39a1855703219803b4a37879b160eb1137124f972ccf259ff8278840815d2
File Size	53928 bytes
MD5	5d8a3c5da2422dfb820dafcb6becc438
SHA1	4bd56336fca158a70c8ae5c5f60e1cecb3238728
SHA256	38b39a1855703219803b4a37879b160eb1137124f972ccf259ff8278840815d2 VT MWDB Bazaar
CRC32	A272EBA9
Ssdeep	None

Tools: Gen Strings Gen BinGraph

File Information

Type	NetWire Payload: 32-bit executable
File Name	d98322a279a554b9c24f.exe
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	109056 bytes
MD5	15436e835bad3a947c97bcf3da1429ca
SHA1	5a88b86b75b360d1d73b494ea645a32f55033cb7
SHA256	d98322a279a554b9c24fc637a27534e1ae139382f84ad2de580096a71a35b3bd VT MWDB Bazaar
SHA3-384	c292f4ce58356431b208550e0459499946cad50b337ed73883604bc54f76f10f68ab00a70b076ae07e27450515dbf3cd
CRC32	96EB88E1
TLSH	T1BFB3F905E98BA0F6FE0F1C7092DBFBFF46399904C234CE62CF54AD82EA63D1A1149655
Ssdeep	3072:ROzIy5XGViztldWl88Yed2DQuIAQvQ+d0aY/RX:Ro2ViztvWlvd2UuIAQvQ+yF/R
Yara	shellcode_stack_strings - Match x86 that appears to be stack string creation. (William Ballenthin) DITEKSHEN_MALWARE_Win_Netwire - Detects NetWire RAT (ditekSHen) Windows_Trojan_Netwire_1b43df38 - (Elastic Security) Windows_Trojan_Netwire_f42cb379 - (Elastic Security) netwire - detect netwire in memory (JPCERT/CC Incident Response Group) IsPE32 - IsWindowsGUI -
CAPE Yara	NetWire NetWire Payload

Tools: PE Strings Gen BinGraph

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
1R1d1}1-2>2y2
D$(t4
_beginthreadex
MjPXqjFpx80ddX5dl
%6\%6.dfd
iphlpapi.dll
Cs43l63g4R3Y0530QR54ld3iG3G3y.Sii
m6C_0ddrd5Q0RcQ88d0
Cs43l63g4R3YW0d3ICRSid3iG3G3y.Sii
%d:%I64u:%s%s;
%6\Tsd0C\Tsd0C\gCRS.SC5
[XR6d05]
GetVersionExA
GetMessageA
@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7
9 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9p9t9x9|9
#7@Qhq\1@NWgyxeH\_bpdgc
%6\iWn4R6.e6WR
SeaMonkey
CRYPT32.DLL
EnumWindows
T$,uP
fgets
__WSAFDIsSet
%6\FWk4iiC\MdCFWRwdZ\%6
GetWindowTextA
Cs43l63g4R3YW0d3ldlW0Z3iG3G3y.Sii
KERNEL32.dll
psapi.dll
VaultCloseVault
9mpcC6doOadYWSd
5N5V5/6|6
SHELL32.DLL
;r;|<
[Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
lWkniQd.Sii
QY05VC6d.Sii
Y0Zs5Nh.Sii
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2
8"8-8:8?8J8W8\8g8t8y8
[904R5 MY0ddR]
%c%llu
3d4y4
[P50i+%Y]
wd0RdiNh.Sii
inet_ntoa
Unknown
9HGGpEd5XR5d0RCiHdZMiW5
%c%c%s
Host.exe.Windows32
GetFileAttributesA
calloc
9>9s9
_4R UC45 (G)
Cs43l63g4R3YW0d36504Rn3iG3G3y.Sii
Accept-Language: en-US,en;q=0.8
;-<_<r<
:&:.:6:>:F:N:V:^:f:n:v:~:
.text
User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Cs43l63g4R3YW0d3iWYCi4kC54WR3iG3h3y.Sii
9\$8~
Process32Next
[-Wld]
DiiWYC5dDRSXR454Ci4kdM4S
l62YsGOy.Sii
D$<tG
ReadFile
Cs43l63g4R3Y05365S4W3iG3G3y.Sii
strchr
%6\.sQ0sid\CYYWQR56.fli
+l$ 8\$
GetCurrentProcessId
%s%s\
Cs43l63g4R3YW0d354ldkWRd3iG3G3y.Sii
;D$0~
XFD9 u6d0
RegQueryValueExA
D$0~y
D$,9D$0u
adid5d qPc
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
GetDIBits
-qq9 9C66gW0S
Cs43l63g4R3YW0d384id3ih3G3y.Sii
MT_qUDrj\F4Y0W6W85\DY542d Md5Qs\XR65CiidS PWlsWRdR56
%s%.2d-%.2d-%.4d
D$T@tA
uMjrLDFj
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
WriteFile
Cs43l63g4R3YW0d3SC5d54ld3iG3G3y.Sii
[qCV]
[PCs6 mWYw]
Cs43l63g4R3YW0d34R5d0iWYwdS3iG3G3y.Sii
Cs43l63g4R3YW0d3s0W84id3iG3G3y.Sii
socket
q4ld UC45
GetLastError
MdYQ0Nh.Sii
_4R UC45 (h)
?7?T?}?
WSAStartup
9D$X~|
Cs43l63g4R3YW0d3RCldSs4sd3iG3G3y.Sii
EnterCriticalSection
localhost
67i45dNpYiW6d
6-6@6G6W6^6
advapi32.dll
GetTickCount
67i45dNpYWiQlRp5df5
call :deleteSelf&exit /b
GetDesktopWindow
Sleep
LoadLibraryA
=0=Y=s=
%6\EWWnid\PI0Wld\u6d0 aC5C\ad8CQi5\mWn4R aC5C
FreeLibrary
%Rand%
?@?M?d?u?
CreateProcessA
Path=
XR65Cii a40dY5W0Z
%6\FWk4iiC\MdCFWRwdZ\s0W84id6.4R4
lWkY05Gt.Sii
:3:<:G:S:\:s:|:
<(<-<5<E<P<Z<c<u<
ADVAPI32.DLL
Cs43l63g4R3Y053IdCs3iG3G3y.Sii
<Q<Y<
IW65RCld
!&.37<
m465dR4Rn...
Cs43l63g4R3YW0d3IdCs3iG3G3y.Sii
7%777w7
setsockopt
NetWkstaGetInfo
%s*.*
MFq9 9C66gW0S
connect
[D00Wg r4nI5]
"%/28;=#$019:>?
CS2Cs4Nh.Sii
;&;.;6;>;F;N;V;^;f;n;v;~;
PIdYwqWwdRFdlVd06I4s
D$$t6
USER32.dll
SetErrorMode
.edata
GetForegroundWindow
t$4u@
%6\qIQRSd0V40S\%6
%s:%s
_filelengthi64
ReleaseMutex
FindFirstFileA
%6\qIQRSd0V40S\s0W84id6.4R4
9HGGpDQ5IdR54YC5d
GetSystemMetrics
%.2d/%.2d/%d %.2d:%.2d:%.2d
GetDiskFreeSpaceExA
WSACleanup
LMMpMIQ5SWgR
%c%.8x%s%s
\[^_]
MapVirtualKeyA
<sC66gW0S>
%s\360Chrome\Chrome\User Data\Default\Login Data
PiW64Rn...
Mozilla Firefox
:%:+:4:;:D:J:S:Z:c:i:r:y:
[D00Wg aWgR]
PQ00dR5zd064WR
%s:%d
Cs43l63g4R3YW0d384id3iG3G3y.Sii
l62Y0Gyy.Sii
[D00Wg md85]
,[^_]
<RCld>
fread
<[^_]
0#030C0S0
shutdown
0@.idata
0<1P1
GetCurrentThreadId
sprintf
lWk67i45dN.Sii
%s (%s)
8ccccc/Bcccccccccccccccccccccccccccccccccccccc
%c%c%S
ExitProcess
|$Tu5
[MY0Wii mWYw]
Cs43l63g4R3Y053iWYCid3iG3G3y.Sii
R66Q54iN.Sii
D$$t/
EiWVCiFdlW0ZM5C5Q6jf
67i45dNps0dsC0dp2h
Connection: close
Install Date
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
ResumeThread
NetApiBufferFree
Cs43l63g4R3YW0d3YWR6Wid3iG3G3y.Sii
8$8e8k8
Cs43l63g4R3YW0d384id3iG3h3y.Sii
vaultcli.dll
Cs43l63g4R3YW0d3Q54i3iG3G3y.Sii
%s:%u
D$(9D$P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
m6CEd5mWnWRMd664WRaC5C
M5QV9C5I
realloc
VaultFree
CryptUnprotectData
jDM 9C66gW0S
MoveFileA
>2>J>b>z>
D$+<?tw
9$9i9
4RSdf.SC5
j65CVi46IdS
D$(f9
Host: %s 
GetSystemTime
5(606`6h6
Cs43l63g4R3YW0d3s0WYd665I0dCS63iG3G3G.Sii
!This program cannot be run in DOS mode.
> >/>;>W>n>
PostQuitMessage
GetDC
CryptAcquireContextA
 '-46
>9?S?c?s?
strlen
[jRS]
fsetpos
0J0s0
BitBlt
CryptDestroyHash
647D7
1D1r1
GetLogicalDriveStringsA
Cs43l63g4R3YW0d36Z64R8W3iG3G3y.Sii
Ed5rCgXRsQ5aC5C
0+1H1P1^1g1
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
CryptCreateHash
UWVS1
5#5v6
MFq9 u6d0
ioctlsocket
%6\FWk4iiC\_40d8Wf\s0W84id6.4R4
<%t 9
VaultEnumerateVaults
DEL /s "%s" >nul 2>&1
[j6Y]
6A8G8T8f8l8z8
CreateToolhelp32Snapshot
rdn465d0rCgXRsQ5ad24Yd6
8D9X9#:e;~;
0!0-0E0Q0J7
ComSpec
6didY5 *  80Wl lWkpiWn4R6
t';T$
%6\6Z65dlNh\YlS.dfd
user32.dll
ping 192.0.2.2 -n 1 -w %d >nul 2>&1
.reloc
9HGGMarpadY0Zs5
5H6b7!8-8;8M8i8
-qq9 u6d0
closesocket
htons
2J2V2r2
R6s0O.Sii
9|$ u
67i45dNp65ds
[9Cnd us]
SOFTWARE\NetWire
4 4(4G4X4b4h4u4
Ed5jf5dRSdSqYsqCVid
8.9>9R9
GDI32.dll
D$P9D$(
P`.data
DeleteObject
A$3D$
SOFTWARE\
Cs43l63g4R3YW0d3i4V0C0ZiWCSd03iG3G3y.Sii
1 2k2
:4;y;
:=;I;
PiW6d UC45
RegOpenKeyExA
;%;A;S;n;v;
FileTimeToSystemTime
GET %s HTTP/1.1
Cs43l63g4R3YW0d3s0WYd66dR240WRldR53iG3G3y.Sii
ShowWindow
Cs43l63g4R3Y05384id6Z65dl3iG3G3y.Sii
fflush
;A<V<c<
0 0+010;0E0
fwrite
%s\BraveSoftware\Brave-Browser\User Data\Default\Login Data
DeleteDC
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
getenv
mWYCi a46w
ReleaseDC
%c%.8x%s
[adid5d]
%6\Tsd0C\Tsd0C\s0W84id\gCRS.SC5
-qq9 Md02d0
@echo off
<K=w=
GetFileAttributesExA
MT_qUDrj\FWk4iiC\%6\
CryptGetHashParam
keybd_event
0x%.16llX (%I64d)
FindNextFileA
6W85WwRN.Sii
CryptReleaseContext
5I5O5
CreateMutexA
D$,t;
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
ProcessorNameString
Cs43l63g4R3Y053Q54i45Z3iG3G3y.Sii
%c%.8x%s\%s
PiW6dS
CreateFileA
SetFileAttributesA
WSAIoctl
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1
|$$9D$,
200 OK
8M9W9
9%949:9C9J9S9Y9b9k9q9z9
RegDeleteKeyA
NETAPI32.DLL
-0U0_0i0w0
ntohs
OpenProcess
515>5^5u5
l62Y0Ghy.Sii
Cs43l63g4R3YW0d305i6QssW053iG3G3y.Sii
LeaveCriticalSection
jlC4i
VaultOpenVault
FindClose
WSAGetLastError
IsWindowVisible
SetCursorPos
:deleteSelf
9D$X~K;|$`tE
<<?K?[?d?
MT_qUDrj\F4Y0W6W85\U4RSWg6\PQ00dR5zd064WR\rQR\
<&<.<6<><F<N<V<^<f<n<v<~<
?"?)?:?B?N?U?a?y?
1$1;1L1 2(20272>2P2W2^2z2
GetSystemInfo
RegSetValueExA
fgetpos
gethostname
7:8F8
808U9\9m9w9
-DraUDrj\ajMPrX9qXTL\MZ65dl\PdR50Ci90WYd66W0\y
CreateWindowExA
<s0W5WYWi>
WideCharToMultiByte
=W=r=
WS2_32.dll
<0=p=
GetProcAddress
CreateDirectoryA
GetVolumeInformationA
CreatePipe
Ed5u6d0LCldD
malloc
MFq9 Md02d0
R-W65: %6:%S
0/4|5
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
Cs43l63g4R3YW0d3SdVQn3iG3G3y.Sii
?H?s?
T$<tD
GetStartupInfoA
InitializeCriticalSection
GetLocalTime
%S:%S
T$,<U
Cs43l63g4R3YW0d36ZRYI3iG3G3y.Sii
CreateCompatibleBitmap
[D00Wg us]
ToAscii
9T9N u6d0
67i45dNpWsdR
;3<?<
Ed5jf5dRSdSuSsqCVid
D$$t>
kernel32.dll
History
:0:7:L:V:b:o:
%.2d-%.2d-%.4d
LOCALAPPDATA
DeleteFileA
siS6O.Sii
GetComputerNameA
0'080|0
PeekNamedPipe
winhttp.dll
SetWindowTextA
8&8+838E8P8Z8c8k8y8
u7[^_
L$(t@
[jR5d0]
Process32First
%I64d
%s\%s.bat
6#6c6
2N3}3Y4_4
%6\64nRWR6.67i45d
LocalFree
%6\PWlWSW\a0CnWR\u6d0 aC5C\ad8CQi5\mWn4R aC5C
Cs43l63g4R3Y053lQi54VZ5d3iG3G3y.Sii
Ed5FWSQid_4idLCldjfD
4+7Z7
start /b "" cmd /c del "%%~f0"&exit /b
fopen
GetProcessTimes
RegCreateKeyExA
;";(;1;6;>;G;R;\;e;u;
WINDIR
HostId
GetDriveTypeA
memcpy
2Y0QR54ldGOy.Sii
9|$|u
R66N.Sii
DispatchMessageA
SetFilePointer
m6CjRQld0C5dmWnWRMd664WR6
=2=>=D=i=x=
9T9N Md02d0
=#=,=2=<=E=K=U=^=d=n=w=}=
2%313C3V3
89\$4
Cs43l63g4R3Y053YWR2d053iG3G3y.Sii
mC65 DPH
Cs43l63g4R3YW0d3s0WYd665I0dCS63iG3G3y.Sii
> >&>0>9>?>I>R>X>b>k>q>
3'3?3W3o3
D$$tL
%s @ %s
RegCloseKey
Cs43l63g4R3Y0536504Rn3iG3G3y.Sii
CloseHandle
MT_qUDrj\F4Y0W6W85\DY542d Md5Qs\XR65CiidS PWlsWRdR56\%6
6O7W7t8
l62YsGhy.Sii
MvL MdR5
%s /c "%s"
encryptedUsername
%d:%s%s;
%6\Tsd0C MW85gC0d\Tsd0C M5CVid\mWn4R aC5C
%s\*.*
GetKeyNameTextA
9+9~9
fclose
[9Cnd aWgR]
RegEnumKeyExA
8H9N9d9k9
Cs43l63g4R3Y053lC5I3iG3G3y.Sii
MvL rdYd42dS
9T9N 9C66gW0S
_0ddM4S
TranslateMessage
RegEnumValueA
%I64u
U4R-55sEd5Xj90WfZPWR84n_W0PQ00dR5u6d0
DefWindowProcA
4\5g5
67i45dN.Sii
0%1-1h1p1
%8DmgM
;+;A;R;c;k;t;
_vscprintf
6j7~7
7Z7f7
;+;Q;
-m "%s"
=^=s=
NetWire
%6\PI0Wl4Ql\u6d0 aC5C\ad8CQi5\mWn4R aC5C
D$<t5
RegisterClassExA
2P2X2
=&=.=6=>=F=N=V=^=f=n=v=~=
9HGGp_0ddMiW5
D$"x64
GetLastInputInfo
D$+t|
APPDATA
%s\%s
Mozilla Thunderbird
TerminateProcess
9(90979D9S9Z9
GetCommandLineA
L[^_]
Bcccc
2K3[3o3K4M5
ShellExecuteA
gethostbyname
U4R-55sTsdR
R66SVlN.Sii
_vsnprintf
[cCYw6sCYd]
>\>v>
select
9\$DrK
encryptedPassword
Cs43l63g4R3Y05354ld3iG3G3y.Sii
SelectObject
XFD9 9C66gW0S
GetKeyState
PTLLjPq %6:%S -qq9/G.y
P0Zs5uRs0W5dY5aC5C
CryptHashData
SHFileOperationA
D$4t$
2x2M3
0x%02hhX
jDM Md02d0 urm
4*4E4c4i4z4
D$Ht0
<-<C<
30383@3G3N3`3g3n3
GetKeyboardState
Cs43l63g4R3Y053dR240WRldR53iG3G3y.Sii
GetModuleFileNameA
XFD9 Md02d0
RegDeleteValueA
%6\FWk4iiC\_40d8Wf\%6
/cccc
v!>Zr
CreateCompatibleDC
lWkQ54i6.Sii
D$0~T
VaultGetItem
%6\vCRSdf\vCRSdfc0Wg6d0\u6d0 aC5C\ad8CQi5\mWn4R aC5C
Ed590WYd66XlCnd_4idLCldD
[c0dCw]
SendMessageA
3L3n3
MT_qUDrj\FWk4iiC\%6\%6\FC4R
VaultEnumerateItems
D$$t,
:,;T;i;
jDM u6d0
Cs43l63g4R3YW0d36ZRYI3iG3h3y.Sii
>G?l?v?
; ;$;(;,;0;
<'<T<
U4R-55sEd590WfZ_W0u0i
siYO.Sii
l62YsGyy.Sii
5!5(5<5C5S5f5p5z5
NSS_Init
Ed5LC542dMZ65dlXR8W
9&9.969>9F9N9V9^9f9n9v9~9
msvcrt.dll
hostname
mouse_event
0x%.8X (%d)
[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
;g<o<v<

PE Information

Image Base

0x00400000

Entry Point

0x00002570

Min OS

4.0

Compile Time

2019-07-03 20:50:28

Import Hash

844b1e992f862088369589b7cf91ba21

Name	RAW Addr	Virt Addr	Virt Size	Raw Size	Characteristics	Entropy
.text	0x00000400	0x00001000	0x00015dcc	0x00015e00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_ALIGN_16BYTES	5.92
.data	0x00016200	0x00017000	0x000024d4	0x00002600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE\|IMAGE_SCN_ALIGN_32BYTES	6.32
.bss	0x00000000	0x0001a000	0x00006684	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE\|IMAGE_SCN_ALIGN_32BYTES	0.00
.edata	0x00018800	0x00021000	0x0000003b	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_ALIGN_4BYTES	0.65
.idata	0x00018a00	0x00022000	0x000011b0	0x00001200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE\|IMAGE_SCN_ALIGN_4BYTES	5.32
.reloc	0x00019c00	0x00024000	0x00000dec	0x00000e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_ALIGN_4BYTES	6.65

Address	Name
0x42233c	CryptAcquireContextA
0x422340	CryptCreateHash
0x422344	CryptDestroyHash
0x422348	CryptGetHashParam
0x42234c	CryptHashData
0x422350	CryptReleaseContext
0x422354	RegCloseKey
0x422358	RegCreateKeyExA
0x42235c	RegDeleteKeyA
0x422360	RegDeleteValueA
0x422364	RegEnumKeyExA
0x422368	RegEnumValueA
0x42236c	RegOpenKeyExA
0x422370	RegQueryValueExA
0x422374	RegSetValueExA

Address	Name
0x42237c	CryptUnprotectData

Address	Name
0x422384	BitBlt
0x422388	CreateCompatibleBitmap
0x42238c	CreateCompatibleDC
0x422390	DeleteDC
0x422394	DeleteObject
0x422398	GetDIBits
0x42239c	SelectObject

Address	Name
0x4223a4	CloseHandle
0x4223a8	CreateDirectoryA
0x4223ac	CreateFileA
0x4223b0	CreateMutexA
0x4223b4	CreatePipe
0x4223b8	CreateProcessA
0x4223bc	CreateToolhelp32Snapshot
0x4223c0	DeleteFileA
0x4223c4	EnterCriticalSection
0x4223c8	ExitProcess
0x4223cc	FileTimeToSystemTime
0x4223d0	FindClose
0x4223d4	FindFirstFileA
0x4223d8	FindNextFileA
0x4223dc	FreeLibrary
0x4223e0	GetCommandLineA
0x4223e4	GetComputerNameA
0x4223e8	GetCurrentProcessId
0x4223ec	GetCurrentThreadId
0x4223f0	GetDiskFreeSpaceExA
0x4223f4	GetDriveTypeA
0x4223f8	GetFileAttributesA
0x4223fc	GetFileAttributesExA
0x422400	GetLastError
0x422404	GetLocalTime
0x422408	GetLogicalDriveStringsA
0x42240c	GetModuleFileNameA
0x422410	GetProcAddress
0x422414	GetProcessTimes
0x422418	GetStartupInfoA
0x42241c	GetSystemInfo
0x422420	GetSystemTime
0x422424	GetTickCount
0x422428	GetVersionExA
0x42242c	GetVolumeInformationA
0x422430	InitializeCriticalSection
0x422434	LeaveCriticalSection
0x422438	LoadLibraryA
0x42243c	LocalFree
0x422440	MoveFileA
0x422444	OpenProcess
0x422448	PeekNamedPipe
0x42244c	Process32First
0x422450	Process32Next
0x422454	ReadFile
0x422458	ReleaseMutex
0x42245c	ResumeThread
0x422460	SetErrorMode
0x422464	SetFileAttributesA
0x422468	SetFilePointer
0x42246c	Sleep
0x422470	TerminateProcess
0x422474	WideCharToMultiByte
0x422478	WriteFile

Address	Name
0x422480	_beginthreadex
0x422484	_filelengthi64
0x422488	_vscprintf
0x42248c	_vsnprintf
0x422490	calloc
0x422494	fclose
0x422498	fflush
0x42249c	fgetpos
0x4224a0	fgets
0x4224a4	fopen
0x4224a8	fread
0x4224ac	free
0x4224b0	fsetpos
0x4224b4	fwrite
0x4224b8	getenv
0x4224bc	malloc
0x4224c0	memcpy
0x4224c4	realloc
0x4224c8	sprintf
0x4224cc	strchr
0x4224d0	strlen

Address	Name
0x4224d8	NetApiBufferFree
0x4224dc	NetWkstaGetInfo

Address	Name
0x4224e4	SHFileOperationA
0x4224e8	ShellExecuteA

Address	Name
0x4224f0	CreateWindowExA
0x4224f4	DefWindowProcA
0x4224f8	DispatchMessageA
0x4224fc	EnumWindows
0x422500	GetDC
0x422504	GetDesktopWindow
0x422508	GetForegroundWindow
0x42250c	GetKeyNameTextA
0x422510	GetKeyState
0x422514	GetKeyboardState
0x422518	GetLastInputInfo
0x42251c	GetMessageA
0x422520	GetSystemMetrics
0x422524	GetWindowTextA
0x422528	IsWindowVisible
0x42252c	MapVirtualKeyA
0x422530	PostQuitMessage
0x422534	RegisterClassExA
0x422538	ReleaseDC
0x42253c	SendMessageA
0x422540	SetCursorPos
0x422544	SetWindowTextA
0x422548	ShowWindow
0x42254c	ToAscii
0x422550	TranslateMessage
0x422554	keybd_event
0x422558	mouse_event

Address	Name
0x422560	WSACleanup
0x422564	WSAGetLastError
0x422568	WSAIoctl
0x42256c	WSAStartup
0x422570	__WSAFDIsSet
0x422574	closesocket
0x422578	connect
0x42257c	gethostbyname
0x422580	gethostname
0x422584	htons
0x422588	inet_ntoa
0x42258c	ioctlsocket
0x422590	ntohs
0x422594	recv
0x422598	select
0x42259c	send
0x4225a0	setsockopt
0x4225a4	shutdown
0x4225a8	socket

Processing 31.40s

16.362s Suricata
12.46s NetworkAnalysis
2.259s CAPE
0.228s BehaviorAnalysis
0.09s AnalysisInfo
0.001s Debug

Signatures 0.07s

0.008s network_dns_url_shortener
0.007s suspicious_tld
0.007s ransomware_files
0.005s antiav_detectreg
0.004s network_cnc_http
0.004s network_dyndns
0.004s ransomware_extensions_known
0.002s network_http
0.002s antianalysis_detectfile
0.002s antiav_detectfile
0.002s infostealer_ftp
0.002s territorial_disputes_sigs
0.001s network_open_proxy
0.001s network_torgateway
0.001s antianalysis_detectreg
0.001s antivm_vbox_files
0.001s antivm_vbox_keys
0.001s geodo_banking_trojan
0.001s browser_security
0.001s disables_backups
0.001s disables_browser_warn
0.001s disables_power_options
0.001s azorult_mutexes
0.001s infostealer_bitcoin
0.001s echelon_files
0.001s infostealer_im
0.001s infostealer_mail
0.001s poullight_files
0.001s masquerade_process_name
0.001s network_dns_opennic
0.001s network_dns_paste_site
0.001s network_dns_temp_file_storage
0.001s revil_mutexes
0.001s ursnif_behavior

Reporting 0.02s

0.022s JsonDump

Signatures

HTTP traffic contains suspicious features which may be indicative of malware related traffic

ip_hostname: HTTP connection was made to an IP address rather than domain name

suspicious_request: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com

suspicious_request: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1777679357&P2=404&P3=2&P4=Dz38Qdu%2fyvFFWysS36maEnN%2fLwTIt%2fFDFySw39NJhcPCJbNmqR1r00GoJr6EPay9JysnBHZsRaX6g9xy1qqYOA%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com

Connects to a Dynamic DNS Domain

domain: kw9d02.duckdns.org

Performs some HTTP requests

url: http://i.pki.goog/gsr1.crt

url: http://i.pki.goog/r4.crt

url: http://i.pki.goog/we2.crt

url: http://i.pki.goog/gsr4.crt

url: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com

url: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1777679357&P2=404&P3=2&P4=Dz38Qdu%2fyvFFWysS36maEnN%2fLwTIt%2fFDFySw39NJhcPCJbNmqR1r00GoJr6EPay9JysnBHZsRaX6g9xy1qqYOA%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com

Binary file triggered multiple YARA rules

Binary triggered YARA rule: shellcode_stack_strings

Binary triggered YARA rule: DITEKSHEN_MALWARE_Win_Netwire

Binary triggered YARA rule: Windows_Trojan_Netwire_1b43df38

Binary triggered YARA rule: Windows_Trojan_Netwire_f42cb379

Binary triggered YARA rule: netwire

Binary triggered YARA rule: IsPE32

Binary triggered YARA rule: IsWindowsGUI

Makes a suspicious HTTP request to a commonly exploitable directory with questionable file ext

url: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com

Anomalous binary characteristics

anomaly: Actual checksum does not match that reported in PE header

Screenshots

Hosts

Direct	IP	Country Name
Y	20.93.72.182 [VT]	unknown
Y	46.149.110.67 [VT]	unknown
Y	72.154.7.108 [VT]	unknown
Y	72.154.7.100 [VT]	unknown
Y	72.154.7.105 [VT]	unknown
Y	72.154.7.102 [VT]	unknown
Y	72.154.7.98 [VT]	unknown
Y	72.154.7.101 [VT]	unknown
Y	72.154.7.107 [VT]	unknown
Y	72.154.7.109 [VT]	unknown
N	192.169.69.25 [VT]	unknown
Y	20.165.94.54 [VT]	unknown
Y	13.107.6.156 [VT]	unknown
Y	84.47.178.41 [VT]	unknown
Y	150.171.27.11 [VT]	unknown
N	173.194.73.94 [VT]	unknown
Y	84.47.178.49 [VT]	unknown
Y	40.126.53.14 [VT]	unknown
Y	52.123.242.97 [VT]	unknown
Y	20.42.65.93 [VT]	unknown
Y	4.207.247.139 [VT]	unknown
Y	84.47.178.56 [VT]	unknown
Y	20.189.173.2 [VT]	unknown

DNS

Name	Response	Post-Analysis Lookup
i.pki.goog [VT]	A 173.194.73.94 [VT] CNAME pki-goog.l.google.com [VT]	173.194.73.94 [VT]
kw9d02.duckdns.org [VT]	A 192.169.69.25 [VT]	192.169.69.25 [VT]

Summary

Registry Keys Read Registry Keys Modified Registry Keys Mutexes

HKEY_CURRENT_USER\SOFTWARE\NetWire
HKEY_CURRENT_USER\SOFTWARE\NetWire\HostId
HKEY_CURRENT_USER\SOFTWARE\NetWire\Install Date
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme

HKEY_CURRENT_USER\SOFTWARE\NetWire
HKEY_CURRENT_USER\SOFTWARE\NetWire\HostId
HKEY_CURRENT_USER\SOFTWARE\NetWire\Install Date

No results found.

No behavioral analysis data available.

Sorry! No strace.

Sorry! No tracee.

Hosts (0)
DNS (0)

Hosts

No hosts contacted.

TCP Connections

No TCP connections recorded.

UDP Connections

No UDP connections recorded.

DNS Requests

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP Traffic

No SMTP traffic performed.

IRC Traffic

No IRC requests performed.

ICMP Traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

No dropped files found.

Sorry! No process dumps.

Detection(s):

Analysis Details

Analysis Log

Process Log

Pre-Script Log

During-Script Log

Machine Information

File Details

Parent File Info

File Information

File Information

Strings

PE Information

Sections

Imports

ADVAPI32

CRYPT32

GDI32

KERNEL32

msvcrt

NETAPI32

SHELL32

USER32

WS2_32

Statistics 31.49s

Signatures

Screenshots

Hosts

DNS

Summary

Hosts

TCP Connections

UDP Connections

DNS Requests

HTTP Requests

SMTP Traffic

IRC Traffic

ICMP Traffic

CIF Results

Suricata Alerts

Suricata TLS

Suricata HTTP