Report - sysWow64-e1.exe

NetWire RAT PE32 OS Processor Check PE File
ScreenShot
Created 2021.07.10 10:38 Machine s1_win7_x6401
Filename sysWow64-e1.exe
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score
10
Behavior Score
3.0
ZERO API file : clean
VT API (file) 54 detected (malicious, high confidence, Wirenet, FCZE, GenericRXKH, Unsafe, Weecnaw, Save, ZexaF, kCW@amFOnfo, Eldorado, NetWire, hlbptg, RATX, Gencirc, NETWIRED, PWSZbot, Static AI, Suspicious PE, NetWiredRC, ai score=80, ASMalwS, Wacatac, score, R342610, BScope, Loyeetro, Quasar, CLASSIC, GenAsa, DOgbQEDHp9A, Ulise, Genetic, confidence, 100%, HxQBdCcA)
md5 715788fb520b3873db406fdf59521afa
sha256 dbe60153ede523dc838e9289aa0b43c5022c182b85396381b96b5d44c1698e27
ssdeep 3072:HOzPcXa+ND32eioGHlz8rnAE0HCXh0edLvCYMjMqqDvFf:HOTcK+NrRioGHlz8rz0i/CzQqqDvFf
imphash 4563c74acbd357d386b177e402b96ce4
impfuzzy 48:6ljLMdjaGOsCvaq1ed+nc1S4l4nqUhsNX/KAT/4rz0Gy9dPFFEkLinB095XlfAk+:6lnM15dCv51ed6c1ll4nqUhCaBZOs+U
  Network IP location

Signature (5cnts)

Level Description
danger File has been identified by 54 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
notice The binary likely contains encrypted or compressed data indicative of a packer
info Queries for the computername

Rules (4cnts)

Level Name Description Collection
danger NetWire_RAT_Zero NetWire RAT binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
66.42.43.177 JP AS-CHOOPA 66.42.43.177 clean

Suricata ids

PE API

IAT(Import Address Table) Library

ADVAPI32.DLL
 0x43039c CryptAcquireContextA
 0x4303a0 CryptCreateHash
 0x4303a4 CryptDestroyHash
 0x4303a8 CryptGetHashParam
 0x4303ac CryptHashData
 0x4303b0 CryptReleaseContext
 0x4303b4 GetUserNameW
 0x4303b8 RegCloseKey
 0x4303bc RegCreateKeyExA
 0x4303c0 RegDeleteKeyA
 0x4303c4 RegDeleteValueA
 0x4303c8 RegEnumKeyExA
 0x4303cc RegEnumValueA
 0x4303d0 RegOpenKeyExA
 0x4303d4 RegQueryValueExA
 0x4303d8 RegSetValueExA
CRYPT32.DLL
 0x4303e0 CryptUnprotectData
GDI32.dll
 0x4303e8 BitBlt
 0x4303ec CreateCompatibleBitmap
 0x4303f0 CreateCompatibleDC
 0x4303f4 DeleteDC
 0x4303f8 DeleteObject
 0x4303fc GetDIBits
 0x430400 SelectObject
KERNEL32.dll
 0x430408 CloseHandle
 0x43040c CreateDirectoryW
 0x430410 CreateFileW
 0x430414 CreateMutexA
 0x430418 CreatePipe
 0x43041c CreateProcessA
 0x430420 CreateToolhelp32Snapshot
 0x430424 DeleteFileW
 0x430428 EnterCriticalSection
 0x43042c ExitProcess
 0x430430 FileTimeToSystemTime
 0x430434 FindClose
 0x430438 FindFirstFileA
 0x43043c FindFirstFileW
 0x430440 FindNextFileA
 0x430444 FindNextFileW
 0x430448 FreeLibrary
 0x43044c GetCommandLineA
 0x430450 GetComputerNameW
 0x430454 GetCurrentProcessId
 0x430458 GetCurrentThreadId
 0x43045c GetDiskFreeSpaceExA
 0x430460 GetDriveTypeA
 0x430464 GetFileAttributesExW
 0x430468 GetFileAttributesW
 0x43046c GetLastError
 0x430470 GetLocalTime
 0x430474 GetLogicalDriveStringsA
 0x430478 GetModuleFileNameW
 0x43047c GetProcAddress
 0x430480 GetProcessTimes
 0x430484 GetStartupInfoA
 0x430488 GetSystemInfo
 0x43048c GetSystemTime
 0x430490 GetTickCount
 0x430494 GetVersionExA
 0x430498 GetVolumeInformationA
 0x43049c InitializeCriticalSection
 0x4304a0 LeaveCriticalSection
 0x4304a4 LoadLibraryA
 0x4304a8 LocalFree
 0x4304ac MoveFileW
 0x4304b0 MultiByteToWideChar
 0x4304b4 OpenProcess
 0x4304b8 PeekNamedPipe
 0x4304bc Process32First
 0x4304c0 Process32Next
 0x4304c4 ReadFile
 0x4304c8 ReleaseMutex
 0x4304cc ResumeThread
 0x4304d0 SetErrorMode
 0x4304d4 SetFileAttributesW
 0x4304d8 SetFilePointer
 0x4304dc Sleep
 0x4304e0 TerminateProcess
 0x4304e4 WideCharToMultiByte
 0x4304e8 WriteFile
msvcrt.dll
 0x4304f0 _assert
 0x4304f4 _beginthreadex
 0x4304f8 _errno
 0x4304fc _filelengthi64
 0x430500 _mkdir
 0x430504 _snwprintf
 0x430508 _stat
 0x43050c _vscprintf
 0x430510 _vsnprintf
 0x430514 _wfopen
 0x430518 calloc
 0x43051c fclose
 0x430520 fflush
 0x430524 fgetpos
 0x430528 fgets
 0x43052c fopen
 0x430530 fread
 0x430534 free
 0x430538 freopen
 0x43053c fseek
 0x430540 fsetpos
 0x430544 ftell
 0x430548 fwprintf
 0x43054c fwrite
 0x430550 getenv
 0x430554 localtime
 0x430558 malloc
 0x43055c memcmp
 0x430560 mktime
 0x430564 realloc
 0x430568 remove
 0x43056c sprintf
 0x430570 strcat
 0x430574 strchr
 0x430578 strcmp
 0x43057c strcpy
 0x430580 strncpy
 0x430584 time
 0x430588 utime
 0x43058c wcscat
NETAPI32.DLL
 0x430594 NetApiBufferFree
 0x430598 NetWkstaGetInfo
SHELL32.DLL
 0x4305a0 SHFileOperationW
 0x4305a4 ShellExecuteA
 0x4305a8 ShellExecuteW
USER32.dll
 0x4305b0 CreateWindowExW
 0x4305b4 DefWindowProcW
 0x4305b8 DispatchMessageA
 0x4305bc EnumWindows
 0x4305c0 GetDC
 0x4305c4 GetDesktopWindow
 0x4305c8 GetForegroundWindow
 0x4305cc GetKeyNameTextW
 0x4305d0 GetKeyState
 0x4305d4 GetKeyboardState
 0x4305d8 GetLastInputInfo
 0x4305dc GetMessageW
 0x4305e0 GetSystemMetrics
 0x4305e4 GetWindowTextW
 0x4305e8 IsWindowVisible
 0x4305ec MapVirtualKeyW
 0x4305f0 PostQuitMessage
 0x4305f4 RegisterClassExW
 0x4305f8 ReleaseDC
 0x4305fc SendMessageA
 0x430600 SendMessageW
 0x430604 SetCursorPos
 0x430608 SetWindowTextW
 0x43060c ShowWindow
 0x430610 ToUnicode
 0x430614 TranslateMessage
 0x430618 keybd_event
 0x43061c mouse_event
WS2_32.dll
 0x430624 WSACleanup
 0x430628 WSAGetLastError
 0x43062c WSAIoctl
 0x430630 WSAStartup
 0x430634 __WSAFDIsSet
 0x430638 closesocket
 0x43063c connect
 0x430640 gethostbyname
 0x430644 htons
 0x430648 inet_ntoa
 0x43064c ioctlsocket
 0x430650 ntohs
 0x430654 recv
 0x430658 select
 0x43065c send
 0x430660 setsockopt
 0x430664 shutdown
 0x430668 socket

EAT(Export Address Table) Library



Similarity measure (PE file only) - Checking for service failure