Overview

overview

10

Static

static

bola.exe

windows7_x64

10

bola.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    13-07-2020 06:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bola.exe

  • Size

    916KB

  • MD5

    b91a3a7f7fa25bdb645550906e15ba65

  • SHA1

    6d4bb0f94257f9928d4ccdcaf6bd025b64242c72

  • SHA256

    cd452913de86b1fe2e5ffd2489769fdc4c3900848f04481710a2e669b69d0e64

  • SHA512

    4fe893890119a4291493825272b5032e4bbda3f105fec934f7beee57defa7b984a1361138612eb33d7c8e12726af59c9659a6fae5a1209eb2c8241df726a42dc

Score
10/10
ratbotnetstealernetwire

Malware Config

Signatures

  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • NTFS ADS 1 IoCs
  • Drops startup file 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 828 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • NetWire RAT payload 2 IoCs
    rat

Processes

  • C:\Users\Admin\AppData\Local\Temp\bola.exe
    "C:\Users\Admin\AppData\Local\Temp\bola.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    PID:2728
    • C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      • NTFS ADS
      • Drops startup file
      PID:3936
      • C:\Users\Admin\AppData\Roaming\rtyt\kjuy.exe
        "C:\Users\Admin\AppData\Roaming\rtyt\kjuy.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:4024
        • C:\Users\Admin\AppData\Roaming\rtyt\kjuy.exe
          "C:\Users\Admin\AppData\Roaming\rtyt\kjuy.exe"
          4⤵
          • Executes dropped EXE
          PID:1836
        • C:\Users\Admin\AppData\Roaming\rtyt\kjuy.exe
          "C:\Users\Admin\AppData\Roaming\rtyt\kjuy.exe" 2 1836 166593
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1836-4-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1836-8-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download