Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 1, 2021, 10:28 a.m.	Nov. 1, 2021, 10:46 a.m.

Size	160.5KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`21c97621d2f2374fa75d71282c566203`
SHA256	`574b348f67921ce34f660afe2ff75d0538bd5ea203739a77479dba7f026f0476`
CRC32	`8FD6CAC3`
ssdeep	`3072:jOzPcXa+ND32eioGHlz8rnAE0HCXh0edLvefYMjMqqDvFf:jOTcK+NrRioGHlz8rz0i/MzQqqDvFf`
Yara	NetWire_RAT_Zero - NetWire RAT PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

Host.exe "C:\Users\test22\AppData\Local\Temp\Host.exe"
2388

Name	Response	Post-Analysis Lookup
nwire733.duckdns.org	A 185.228.19.147	185.228.19.147

IP Address	Status	Action
185.228.19.147	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:62324 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 1, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 1, 2021, 10:28 a.m.			0	0

Connects to a Dynamic DNS Domain (1 event)

domain

nwire733.duckdns.org

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00004e00', u'virtual_address': u'0x00022000', u'entropy': 7.007220331281095, u'name': u'.data', u'virtual_size': u'0x00004c7c'}

entropy

7.00722033128

description

A section with a high entropy has been found

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Lionic	Trojan.Win32.NetWiredRC.m!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
FireEye	Generic.mg.21c97621d2f2374f
CAT-QuickHeal	Backdoor.NetwiredrIH.S21443742
McAfee	GenericRXKH-LK!21C97621D2F2
Cylance	Unsafe
Zillya	Trojan.Weecnaw.Win32.761
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Spyware ( 0055216c1 )
Alibaba	Backdoor:Win32/NetWiredRC.34083420
K7GW	Spyware ( 0055216c1 )
Cybereason	malicious.1d2f23
Cyren	W32/S-6c6572b7!Eldorado
Symantec	Infostealer
ESET-NOD32	Win32/Spy.Weecnaw.L
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Dropper.NetWire-8025706-0
Kaspersky	Backdoor.Win32.NetWiredRC.lac
BitDefender	Trojan.GenericKD.47239316
NANO-Antivirus	Trojan.Win32.Wirenet.hlbptg
MicroWorld-eScan	Trojan.GenericKD.47239316
Avast	Win32:RATX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10ce3933
Ad-Aware	Trojan.GenericKD.47239316
Emsisoft	Trojan-Spy.Weecnaw (A)
DrWeb	BackDoor.Wirenet.557
TrendMicro	Backdoor.Win32.NETWIRED.SMK
McAfee-GW-Edition	BehavesLike.Win32.Dropper.ch
Sophos	Mal/Generic-S
Ikarus	Backdoor.Rat.Netwire
Jiangmin	Backdoor.NetWiredRC.bld
Webroot	W32.Trojan.Gen
Avira	TR/Spy.Gen
MAX	malware (ai score=86)
Antiy-AVL	Trojan/Generic.ASMalwS.309056C
Gridinsoft	Ransom.Win32.Wacatac.oa!s1
Microsoft	Backdoor:Win32/Netwire.GG!MTB
ViRobot	Trojan.Win32.Z.Netwire.164352.BN
GData	Win32.Trojan.Netwire.C
AhnLab-V3	Trojan/Win32.RL_NetWiredRC.R342610
BitDefenderTheta	Gen:NN.ZexaF.34236.kCW@amsq2rh
ALYac	Backdoor.RAT.Netwire
TACHYON	Backdoor/W32.NetWire.164352
VBA32	BScope.TrojanSpy.Loyeetro
Malwarebytes	Backdoor.Quasar
TrendMicro-HouseCall	Backdoor.Win32.NETWIRED.SMK
Rising	Backdoor.NetWire!1.C98D (CLASSIC)
Yandex	Trojan.GenAsa!DOgbQEDHp9A

Host.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All