Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 1, 2021, 10:28 a.m.	Nov. 1, 2021, 10:43 a.m.

Size	160.5KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`9a9f389d7aa1a7e0ded19e72fa02e0f5`
SHA256	`843c5f7a818681e3df212c80515cdce0bd56c6e178412736b8a22b15ebb35435`
CRC32	`42BA7F0C`
ssdeep	`3072:jOzPcXa+ND32eioGHlz8rnAE0HCXh0edLviYMjMqqDvFf:jOTcK+NrRioGHlz8rz0i/izQqqDvFf`
Yara	NetWire_RAT_Zero - NetWire RAT PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

HostKfkk.exe "C:\Users\test22\AppData\Local\Temp\HostKfkk.exe"
1896

Name	Response	Post-Analysis Lookup
nwire733.duckdns.org	A 185.228.19.147	185.228.19.147

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.228.19.147	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:62324 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 1, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 1, 2021, 10:27 a.m.			0	0

Connects to a Dynamic DNS Domain (1 event)

domain

nwire733.duckdns.org

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00004e00', u'virtual_address': u'0x00022000', u'entropy': 7.0047075085767725, u'name': u'.data', u'virtual_size': u'0x00004c7c'}

entropy

7.00470750858

description

A section with a high entropy has been found

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Elastic	malicious (high confidence)
DrWeb	BackDoor.Wirenet.557
MicroWorld-eScan	Trojan.Agent.FCZE
FireEye	Generic.mg.9a9f389d7aa1a7e0
CAT-QuickHeal	Backdoor.NetwiredrIH.S21443742
McAfee	GenericRXKH-LK!9A9F389D7AA1
Malwarebytes	Backdoor.Quasar
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Spyware ( 0055216c1 )
K7GW	Spyware ( 0055216c1 )
Cybereason	malicious.d7aa1a
BitDefenderTheta	Gen:NN.ZexaF.34236.kCW@amsq2rh
Cyren	W32/S-6c6572b7!Eldorado
Symantec	Infostealer
ESET-NOD32	Win32/Spy.Weecnaw.L
APEX	Malicious
ClamAV	Win.Dropper.NetWire-8025706-0
Kaspersky	Backdoor.Win32.NetWiredRC.lac
BitDefender	Trojan.Agent.FCZE
NANO-Antivirus	Trojan.Win32.Wirenet.hlbptg
Avast	Win32:RATX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10ce3933
Ad-Aware	Trojan.Agent.FCZE
Emsisoft	Trojan-Spy.Weecnaw (A)
Zillya	Trojan.Weecnaw.Win32.761
TrendMicro	Backdoor.Win32.NETWIRED.SMK
McAfee-GW-Edition	BehavesLike.Win32.Dropper.ch
Sophos	ML/PE-A
Ikarus	Backdoor.Rat.Netwire
Jiangmin	Backdoor.NetWiredRC.bld
Webroot	W32.Trojan.Gen
Avira	TR/Spy.Gen
MAX	malware (ai score=83)
Antiy-AVL	Trojan/Generic.ASMalwS.309056C
Gridinsoft	Ransom.Win32.Wacatac.oa!s1
GData	Win32.Trojan.Netwire.C
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.RL_NetWiredRC.R342610
VBA32	BScope.TrojanSpy.Loyeetro
ALYac	Backdoor.RAT.Netwire
TACHYON	Backdoor/W32.NetWire.164352
TrendMicro-HouseCall	Backdoor.Win32.NETWIRED.SMK
Rising	Backdoor.NetWire!1.C98D (CLASSIC)
Yandex	Trojan.GenAsa!DOgbQEDHp9A
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_71%
Fortinet	W32/Ulise.103681!tr
AVG	Win32:RATX-gen [Trj]
Panda	Trj/Genetic.gen
CrowdStrike	win/malicious_confidence_60% (D)

HostKfkk.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All