popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

updates.exe

NetWire RAT Browser Login Data Stealer Malicious Library UPX Malicious Packer GIF Format Lnk Format PE64 PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Nov. 26, 2023, 1:32 p.m. Nov. 26, 2023, 1:57 p.m.
Size 2.9MB
Type PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
MD5 2b5eca0c8dcfd123b1790a137feb4146
SHA256 1f64ef3c5f7690033cf54608c3f4ba61a99c1494a2a2d5aa06f8b6634d8e305b
CRC32 A90BD86D
ssdeep 49152:Qmd9Cf3Vvwxrb/T2vO90d7HjmAFd4A64nsfJdVfZgXKRQHfDTJz1jStov0hlZ0Az:+3qH8qo8V0A
Yara
  • Malicious_Library_Zero - Malicious_Library
  • Malicious_Packer_Zero - Malicious Packer
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
needforrat.hopto.org
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:64894 -> 164.124.101.2:53 2028681 ET POLICY DNS Query to DynDNS Domain *.hopto .org Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .symtab
domain needforrat.hopto.org
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1236
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000006be0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestLink.lnk
file C:\Users\test22\AppData\Local\Temp\go-memexec-2265040774.exe
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestLink.lnk
file C:\Users\test22\AppData\Local\Temp\go-memexec-2265040774.exe
section {u'size_of_data': u'0x00025200', u'virtual_address': u'0x0027b000', u'entropy': 7.994340505844019, u'name': u'/19', u'virtual_size': u'0x000250e2'} entropy 7.99434050584 description A section with a high entropy has been found
section {u'size_of_data': u'0x00007400', u'virtual_address': u'0x002a1000', u'entropy': 7.924061196329007, u'name': u'/32', u'virtual_size': u'0x000072b7'} entropy 7.92406119633 description A section with a high entropy has been found
section {u'size_of_data': u'0x00040800', u'virtual_address': u'0x002aa000', u'entropy': 7.996590037460738, u'name': u'/65', u'virtual_size': u'0x00040735'} entropy 7.99659003746 description A section with a high entropy has been found
section {u'size_of_data': u'0x00029400', u'virtual_address': u'0x002eb000', u'entropy': 7.990850969829446, u'name': u'/78', u'virtual_size': u'0x000292b8'} entropy 7.99085096983 description A section with a high entropy has been found
section {u'size_of_data': u'0x0000c400', u'virtual_address': u'0x00315000', u'entropy': 7.794339889247348, u'name': u'/90', u'virtual_size': u'0x0000c24b'} entropy 7.79433988925 description A section with a high entropy has been found
entropy 0.220918367347 description Overall entropy of this PE file is high
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestLink.lnk
file C:\Users\test22\AppData\Local\Temp\go-memexec-2265040774.exe
Time & API Arguments Status Return Repeated

LdrGetProcedureAddress

 ordinal: 0
function_address: 0x000007fefe467a50
function_name: wine_get_version
module: ntdll
module_address: 0x00000000776c0000
-1073741511 0
Bkav W64.AIDetectMalware
Lionic Trojan.Win32.Tasker.tsbe
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.61684544
Skyhigh BehavesLike.Win64.Backdoor.vh
ALYac Backdoor.RAT.Netwire
Cylance unsafe
Zillya Dropper.Agent.Win32.511527
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 0058879c1 )
Alibaba TrojanDropper:Win32/NetWire.0ee943b3
K7GW Trojan ( 0058879c1 )
Arcabit Trojan.Generic.D3AD3B40
VirIT Trojan.Win32.Genus.DPKP
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of WinGo/TrojanDropper.Agent.K
Cynet Malicious (score: 99)
APEX Malicious
ClamAV Win.Malware.Wingo-9966132-0
Kaspersky Trojan.Win32.NetWire.kux
BitDefender Trojan.GenericKD.61684544
Avast Win64:Evo-gen [Trj]
Tencent Win32.Trojan.Netwire.Anhl
Emsisoft Trojan.GenericKD.61684544 (B)
F-Secure Heuristic.HEUR/AGEN.1318165
DrWeb Trojan.MulDrop20.50375
VIPRE Trojan.GenericKD.61684544
FireEye Trojan.GenericKD.61684544
Sophos ATK/Ekocit-A
Ikarus Trojan-Dropper.WinGo.Agent
Webroot W32.Trojan.GenKD
Varist W64/ABTrojan.XGHI-8480
Avira HEUR/AGEN.1318165
Antiy-AVL Trojan[Dropper]/Win32.Agent
Xcitium Malware@#3d9w0t89m7uad
Microsoft VirTool:Win32/Ekocit.A!MTB
ZoneAlarm Trojan.Win32.NetWire.kux
GData Trojan.GenericKD.61684544
Google Detected
AhnLab-V3 Trojan/Win.Ekocit.R525732
McAfee Artemis!2B5ECA0C8DCF
MAX malware (ai score=82)
VBA32 Trojan.NetWiredRC
Malwarebytes Generic.Malware/Suspicious
Panda Trj/CI.A
SentinelOne Static AI - Suspicious PE
MaxSecure Trojan.Malware.187683045.susgen
Fortinet W64/Agent.K!tr
AVG Win64:Evo-gen [Trj]
DeepInstinct MALICIOUS