ScreenShot
| Created | 2021.07.10 10:38 | Machine | s1_win7_x6401 |
| Filename | sysWow64-e1.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 54 detected (malicious, high confidence, Wirenet, FCZE, GenericRXKH, Unsafe, Weecnaw, Save, ZexaF, kCW@amFOnfo, Eldorado, NetWire, hlbptg, RATX, Gencirc, NETWIRED, PWSZbot, Static AI, Suspicious PE, NetWiredRC, ai score=80, ASMalwS, Wacatac, score, R342610, BScope, Loyeetro, Quasar, CLASSIC, GenAsa, DOgbQEDHp9A, Ulise, Genetic, confidence, 100%, HxQBdCcA) | ||
| md5 | 715788fb520b3873db406fdf59521afa | ||
| sha256 | dbe60153ede523dc838e9289aa0b43c5022c182b85396381b96b5d44c1698e27 | ||
| ssdeep | 3072:HOzPcXa+ND32eioGHlz8rnAE0HCXh0edLvCYMjMqqDvFf:HOTcK+NrRioGHlz8rz0i/CzQqqDvFf | ||
| imphash | 4563c74acbd357d386b177e402b96ce4 | ||
| impfuzzy | 48:6ljLMdjaGOsCvaq1ed+nc1S4l4nqUhsNX/KAT/4rz0Gy9dPFFEkLinB095XlfAk+:6lnM15dCv51ed6c1ll4nqUhCaBZOs+U | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 54 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Queries for the computername |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | NetWire_RAT_Zero | NetWire RAT | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
ADVAPI32.DLL
0x43039c CryptAcquireContextA
0x4303a0 CryptCreateHash
0x4303a4 CryptDestroyHash
0x4303a8 CryptGetHashParam
0x4303ac CryptHashData
0x4303b0 CryptReleaseContext
0x4303b4 GetUserNameW
0x4303b8 RegCloseKey
0x4303bc RegCreateKeyExA
0x4303c0 RegDeleteKeyA
0x4303c4 RegDeleteValueA
0x4303c8 RegEnumKeyExA
0x4303cc RegEnumValueA
0x4303d0 RegOpenKeyExA
0x4303d4 RegQueryValueExA
0x4303d8 RegSetValueExA
CRYPT32.DLL
0x4303e0 CryptUnprotectData
GDI32.dll
0x4303e8 BitBlt
0x4303ec CreateCompatibleBitmap
0x4303f0 CreateCompatibleDC
0x4303f4 DeleteDC
0x4303f8 DeleteObject
0x4303fc GetDIBits
0x430400 SelectObject
KERNEL32.dll
0x430408 CloseHandle
0x43040c CreateDirectoryW
0x430410 CreateFileW
0x430414 CreateMutexA
0x430418 CreatePipe
0x43041c CreateProcessA
0x430420 CreateToolhelp32Snapshot
0x430424 DeleteFileW
0x430428 EnterCriticalSection
0x43042c ExitProcess
0x430430 FileTimeToSystemTime
0x430434 FindClose
0x430438 FindFirstFileA
0x43043c FindFirstFileW
0x430440 FindNextFileA
0x430444 FindNextFileW
0x430448 FreeLibrary
0x43044c GetCommandLineA
0x430450 GetComputerNameW
0x430454 GetCurrentProcessId
0x430458 GetCurrentThreadId
0x43045c GetDiskFreeSpaceExA
0x430460 GetDriveTypeA
0x430464 GetFileAttributesExW
0x430468 GetFileAttributesW
0x43046c GetLastError
0x430470 GetLocalTime
0x430474 GetLogicalDriveStringsA
0x430478 GetModuleFileNameW
0x43047c GetProcAddress
0x430480 GetProcessTimes
0x430484 GetStartupInfoA
0x430488 GetSystemInfo
0x43048c GetSystemTime
0x430490 GetTickCount
0x430494 GetVersionExA
0x430498 GetVolumeInformationA
0x43049c InitializeCriticalSection
0x4304a0 LeaveCriticalSection
0x4304a4 LoadLibraryA
0x4304a8 LocalFree
0x4304ac MoveFileW
0x4304b0 MultiByteToWideChar
0x4304b4 OpenProcess
0x4304b8 PeekNamedPipe
0x4304bc Process32First
0x4304c0 Process32Next
0x4304c4 ReadFile
0x4304c8 ReleaseMutex
0x4304cc ResumeThread
0x4304d0 SetErrorMode
0x4304d4 SetFileAttributesW
0x4304d8 SetFilePointer
0x4304dc Sleep
0x4304e0 TerminateProcess
0x4304e4 WideCharToMultiByte
0x4304e8 WriteFile
msvcrt.dll
0x4304f0 _assert
0x4304f4 _beginthreadex
0x4304f8 _errno
0x4304fc _filelengthi64
0x430500 _mkdir
0x430504 _snwprintf
0x430508 _stat
0x43050c _vscprintf
0x430510 _vsnprintf
0x430514 _wfopen
0x430518 calloc
0x43051c fclose
0x430520 fflush
0x430524 fgetpos
0x430528 fgets
0x43052c fopen
0x430530 fread
0x430534 free
0x430538 freopen
0x43053c fseek
0x430540 fsetpos
0x430544 ftell
0x430548 fwprintf
0x43054c fwrite
0x430550 getenv
0x430554 localtime
0x430558 malloc
0x43055c memcmp
0x430560 mktime
0x430564 realloc
0x430568 remove
0x43056c sprintf
0x430570 strcat
0x430574 strchr
0x430578 strcmp
0x43057c strcpy
0x430580 strncpy
0x430584 time
0x430588 utime
0x43058c wcscat
NETAPI32.DLL
0x430594 NetApiBufferFree
0x430598 NetWkstaGetInfo
SHELL32.DLL
0x4305a0 SHFileOperationW
0x4305a4 ShellExecuteA
0x4305a8 ShellExecuteW
USER32.dll
0x4305b0 CreateWindowExW
0x4305b4 DefWindowProcW
0x4305b8 DispatchMessageA
0x4305bc EnumWindows
0x4305c0 GetDC
0x4305c4 GetDesktopWindow
0x4305c8 GetForegroundWindow
0x4305cc GetKeyNameTextW
0x4305d0 GetKeyState
0x4305d4 GetKeyboardState
0x4305d8 GetLastInputInfo
0x4305dc GetMessageW
0x4305e0 GetSystemMetrics
0x4305e4 GetWindowTextW
0x4305e8 IsWindowVisible
0x4305ec MapVirtualKeyW
0x4305f0 PostQuitMessage
0x4305f4 RegisterClassExW
0x4305f8 ReleaseDC
0x4305fc SendMessageA
0x430600 SendMessageW
0x430604 SetCursorPos
0x430608 SetWindowTextW
0x43060c ShowWindow
0x430610 ToUnicode
0x430614 TranslateMessage
0x430618 keybd_event
0x43061c mouse_event
WS2_32.dll
0x430624 WSACleanup
0x430628 WSAGetLastError
0x43062c WSAIoctl
0x430630 WSAStartup
0x430634 __WSAFDIsSet
0x430638 closesocket
0x43063c connect
0x430640 gethostbyname
0x430644 htons
0x430648 inet_ntoa
0x43064c ioctlsocket
0x430650 ntohs
0x430654 recv
0x430658 select
0x43065c send
0x430660 setsockopt
0x430664 shutdown
0x430668 socket
EAT(Export Address Table) Library
ADVAPI32.DLL
0x43039c CryptAcquireContextA
0x4303a0 CryptCreateHash
0x4303a4 CryptDestroyHash
0x4303a8 CryptGetHashParam
0x4303ac CryptHashData
0x4303b0 CryptReleaseContext
0x4303b4 GetUserNameW
0x4303b8 RegCloseKey
0x4303bc RegCreateKeyExA
0x4303c0 RegDeleteKeyA
0x4303c4 RegDeleteValueA
0x4303c8 RegEnumKeyExA
0x4303cc RegEnumValueA
0x4303d0 RegOpenKeyExA
0x4303d4 RegQueryValueExA
0x4303d8 RegSetValueExA
CRYPT32.DLL
0x4303e0 CryptUnprotectData
GDI32.dll
0x4303e8 BitBlt
0x4303ec CreateCompatibleBitmap
0x4303f0 CreateCompatibleDC
0x4303f4 DeleteDC
0x4303f8 DeleteObject
0x4303fc GetDIBits
0x430400 SelectObject
KERNEL32.dll
0x430408 CloseHandle
0x43040c CreateDirectoryW
0x430410 CreateFileW
0x430414 CreateMutexA
0x430418 CreatePipe
0x43041c CreateProcessA
0x430420 CreateToolhelp32Snapshot
0x430424 DeleteFileW
0x430428 EnterCriticalSection
0x43042c ExitProcess
0x430430 FileTimeToSystemTime
0x430434 FindClose
0x430438 FindFirstFileA
0x43043c FindFirstFileW
0x430440 FindNextFileA
0x430444 FindNextFileW
0x430448 FreeLibrary
0x43044c GetCommandLineA
0x430450 GetComputerNameW
0x430454 GetCurrentProcessId
0x430458 GetCurrentThreadId
0x43045c GetDiskFreeSpaceExA
0x430460 GetDriveTypeA
0x430464 GetFileAttributesExW
0x430468 GetFileAttributesW
0x43046c GetLastError
0x430470 GetLocalTime
0x430474 GetLogicalDriveStringsA
0x430478 GetModuleFileNameW
0x43047c GetProcAddress
0x430480 GetProcessTimes
0x430484 GetStartupInfoA
0x430488 GetSystemInfo
0x43048c GetSystemTime
0x430490 GetTickCount
0x430494 GetVersionExA
0x430498 GetVolumeInformationA
0x43049c InitializeCriticalSection
0x4304a0 LeaveCriticalSection
0x4304a4 LoadLibraryA
0x4304a8 LocalFree
0x4304ac MoveFileW
0x4304b0 MultiByteToWideChar
0x4304b4 OpenProcess
0x4304b8 PeekNamedPipe
0x4304bc Process32First
0x4304c0 Process32Next
0x4304c4 ReadFile
0x4304c8 ReleaseMutex
0x4304cc ResumeThread
0x4304d0 SetErrorMode
0x4304d4 SetFileAttributesW
0x4304d8 SetFilePointer
0x4304dc Sleep
0x4304e0 TerminateProcess
0x4304e4 WideCharToMultiByte
0x4304e8 WriteFile
msvcrt.dll
0x4304f0 _assert
0x4304f4 _beginthreadex
0x4304f8 _errno
0x4304fc _filelengthi64
0x430500 _mkdir
0x430504 _snwprintf
0x430508 _stat
0x43050c _vscprintf
0x430510 _vsnprintf
0x430514 _wfopen
0x430518 calloc
0x43051c fclose
0x430520 fflush
0x430524 fgetpos
0x430528 fgets
0x43052c fopen
0x430530 fread
0x430534 free
0x430538 freopen
0x43053c fseek
0x430540 fsetpos
0x430544 ftell
0x430548 fwprintf
0x43054c fwrite
0x430550 getenv
0x430554 localtime
0x430558 malloc
0x43055c memcmp
0x430560 mktime
0x430564 realloc
0x430568 remove
0x43056c sprintf
0x430570 strcat
0x430574 strchr
0x430578 strcmp
0x43057c strcpy
0x430580 strncpy
0x430584 time
0x430588 utime
0x43058c wcscat
NETAPI32.DLL
0x430594 NetApiBufferFree
0x430598 NetWkstaGetInfo
SHELL32.DLL
0x4305a0 SHFileOperationW
0x4305a4 ShellExecuteA
0x4305a8 ShellExecuteW
USER32.dll
0x4305b0 CreateWindowExW
0x4305b4 DefWindowProcW
0x4305b8 DispatchMessageA
0x4305bc EnumWindows
0x4305c0 GetDC
0x4305c4 GetDesktopWindow
0x4305c8 GetForegroundWindow
0x4305cc GetKeyNameTextW
0x4305d0 GetKeyState
0x4305d4 GetKeyboardState
0x4305d8 GetLastInputInfo
0x4305dc GetMessageW
0x4305e0 GetSystemMetrics
0x4305e4 GetWindowTextW
0x4305e8 IsWindowVisible
0x4305ec MapVirtualKeyW
0x4305f0 PostQuitMessage
0x4305f4 RegisterClassExW
0x4305f8 ReleaseDC
0x4305fc SendMessageA
0x430600 SendMessageW
0x430604 SetCursorPos
0x430608 SetWindowTextW
0x43060c ShowWindow
0x430610 ToUnicode
0x430614 TranslateMessage
0x430618 keybd_event
0x43061c mouse_event
WS2_32.dll
0x430624 WSACleanup
0x430628 WSAGetLastError
0x43062c WSAIoctl
0x430630 WSAStartup
0x430634 __WSAFDIsSet
0x430638 closesocket
0x43063c connect
0x430640 gethostbyname
0x430644 htons
0x430648 inet_ntoa
0x43064c ioctlsocket
0x430650 ntohs
0x430654 recv
0x430658 select
0x43065c send
0x430660 setsockopt
0x430664 shutdown
0x430668 socket
EAT(Export Address Table) Library