Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 1, 2021, 10:28 a.m.	Nov. 1, 2021, 10:39 a.m.

Size	160.5KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`f3304cc314d7e62b283f262f01a6bcdf`
SHA256	`6b4401690cb0a07ee98ff3c5fc351b20c6e0a4ba7474c6ad858e5dc69a60b36f`
CRC32	`C2891FD6`
ssdeep	`3072:jOzPcXa+ND32eioGHlz8rnAE0HCXh0edLvXYMjMqqDvFf:jOTcK+NrRioGHlz8rz0i/XzQqqDvFf`
Yara	NetWire_RAT_Zero - NetWire RAT PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

Host.exe "C:\Users\test22\AppData\Local\Temp\Host.exe"
1468

Name	Response	Post-Analysis Lookup
nwire733.duckdns.org	A 185.228.19.147	185.228.19.147

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.228.19.147	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:62324 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 1, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 1, 2021, 10:28 a.m.			0	0

Connects to a Dynamic DNS Domain (1 event)

domain

nwire733.duckdns.org

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00004e00', u'virtual_address': u'0x00022000', u'entropy': 7.009562207085549, u'name': u'.data', u'virtual_size': u'0x00004c7c'}

entropy

7.00956220709

description

A section with a high entropy has been found

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Agent.FCZE
FireEye	Generic.mg.f3304cc314d7e62b
CAT-QuickHeal	Backdoor.NetwiredrIH.S21443742
ALYac	Backdoor.RAT.Netwire
Malwarebytes	Backdoor.Quasar
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Spyware ( 0055216c1 )
BitDefender	Trojan.Agent.FCZE
K7GW	Spyware ( 0055216c1 )
Cybereason	malicious.314d7e
BitDefenderTheta	Gen:NN.ZexaF.34236.kCW@amsq2rh
Cyren	W32/S-6c6572b7!Eldorado
Symantec	Infostealer
ESET-NOD32	Win32/Spy.Weecnaw.L
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Backdoor.Win32.NetWiredRC.lac
NANO-Antivirus	Trojan.Win32.Wirenet.hlbptg
Rising	Backdoor.NetWire!1.C98D (CLASSIC)
Ad-Aware	Trojan.Agent.FCZE
TACHYON	Backdoor/W32.NetWire.164352
Emsisoft	Trojan-Spy.Weecnaw (A)
DrWeb	BackDoor.Wirenet.557
Zillya	Trojan.Weecnaw.Win32.761
McAfee-GW-Edition	BehavesLike.Win32.Dropper.ch
Sophos	ML/PE-A
Ikarus	Backdoor.Rat.Netwire
GData	Win32.Trojan.Netwire.C
Jiangmin	Backdoor.NetWiredRC.bld
eGambit	Unsafe.AI_Score_71%
Avira	TR/Spy.Gen
Antiy-AVL	Trojan/Generic.ASMalwS.309056C
Gridinsoft	Ransom.Win32.Wacatac.oa!s1
ZoneAlarm	Backdoor.Win32.NetWiredRC.lac
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.RL_NetWiredRC.R342610
McAfee	GenericRXKH-LK!F3304CC314D7
MAX	malware (ai score=80)
VBA32	BScope.TrojanSpy.Loyeetro
Cylance	Unsafe
Panda	Trj/Genetic.gen
TrendMicro-HouseCall	Backdoor.Win32.NETWIRED.SMK
Tencent	Malware.Win32.Gencirc.10ce3933
Yandex	Trojan.GenAsa!DOgbQEDHp9A
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Ulise.103681!tr
Webroot	W32.Trojan.Gen
AVG	Win32:RATX-gen [Trj]
CrowdStrike	win/malicious_confidence_60% (D)

Host.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All