Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 26, 2023, 1:32 p.m.	Nov. 26, 2023, 1:44 p.m.

Size	166.1KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`37035aa02a65b1b869898cb611d37686`
SHA256	`4c01cc3dd96c524054207f6b37a334c62549857f28c0286cc8dfc30b6d388e34`
CRC32	`68CBCE12`
ssdeep	`3072:bOzPcXa+ND32eioGHlz8rnAE0HCXh0edLvnoYMjMqqDvFfCZjx:bOTcK+NrRioGHlz8rz0i/ozQqqDvFfk1`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) infoStealer_browser_b_Zero - browser info stealer PE_Header_Zero - PE File Signature NetWire_RAT_Zero - NetWire RAT UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

update.exe "C:\Users\test22\AppData\Local\Temp\update.exe"
940
- Host.exe "C:\Users\test22\AppData\Roaming\Install\Host.exe"
  808

Name	Response	Post-Analysis Lookup
needforrat.hopto.org

IP Address	Status	Action
164.124.101.2	Active	Moloch

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 26, 2023, 1:32 p.m.			0	0

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 26, 2023, 1:32 p.m.		1	1	0

domain

needforrat.hopto.org

file	C:\Users\test22\AppData\Roaming\Install\Host.exe

file	C:\Users\test22\AppData\Roaming\Install\Host.exe

file	C:\Users\test22\AppData\Roaming\Install\Host.exe

section

{u'size_of_data': u'0x00004e00', u'virtual_address': u'0x00022000', u'entropy': 7.00821606890194, u'name': u'.data', u'virtual_size': u'0x00004c7c'}

entropy

7.0082160689

description

A section with a high entropy has been found

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Crack_Windows

reg_value

C:\Users\test22\AppData\Roaming\Install\Host.exe

file	C:\Users\test22\AppData\Roaming\Install\Host.exe

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.NetWire.4!c
Elastic	Windows.Trojan.Netwire
MicroWorld-eScan	Trojan.Agent.FCZE
ClamAV	Win.Dropper.NetWire-8025706-0
FireEye	Generic.mg.37035aa02a65b1b8
ALYac	Backdoor.RAT.Netwire
Cylance	unsafe
VIPRE	Trojan.Agent.FCZE
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.Agent.FCZE
K7GW	Spyware ( 0055216c1 )
K7AntiVirus	Spyware ( 0055216c1 )
VirIT	Trojan.Win32.Dnldr33.DAFT
Cyren	W32/Trojan.FPWY-3127
Symantec	Infostealer
ESET-NOD32	Win32/Spy.Weecnaw.L
Cynet	Malicious (score: 100)
Kaspersky	Backdoor.Win32.NetWiredRC.lsq
Alibaba	Backdoor:Win32/NetWiredRC.faebaaf0
NANO-Antivirus	Trojan.Win32.Wirenet.hlbptg
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Spy.Gen
DrWeb	BackDoor.Wirenet.557
Zillya	Trojan.Weecnaw.Win32.761
TrendMicro	Backdoor.Win32.NETWIRED.FDW
McAfee-GW-Edition	GenericRXKH-LK!37035AA02A65
Trapmine	malicious.moderate.ml.score
Emsisoft	Trojan.Agent.FCZE (B)
SentinelOne	Static AI - Suspicious PE
GData	Win32.Trojan.Netwire.C
Jiangmin	Backdoor.NetWiredRC.bld
Webroot	W32.Trojan.Gen
Avira	TR/Spy.Gen
MAX	malware (ai score=100)
Antiy-AVL	Trojan[Backdoor]/Win32.NetWiredRC
Kingsoft	malware.kb.a.946
Gridinsoft	Ransom.Win32.Wacatac.oa!s1
Xcitium	Malware@#ehnx3s1qmj3r
Arcabit	Trojan.Agent.FCZE
ZoneAlarm	Backdoor.Win32.NetWiredRC.lsq
Microsoft	Backdoor:Win32/Netwire.PA!MTB
Google	Detected
AhnLab-V3	Trojan/Win32.RL_NetWiredRC.R342610
McAfee	GenericRXKH-LK!37035AA02A65
DeepInstinct	MALICIOUS
VBA32	BScope.TrojanSpy.Loyeetro
Malwarebytes	Generic.Malware.AI.DDS
Panda	Trj/CI.A

update.exe