Overview

overview

10

Static

static

Begantoda[1].exe

windows7_x64

10

Begantoda[1].exe

windows10_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    116s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    03-03-2021 20:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Begantoda[1].exe

  • Size

    586KB

  • MD5

    b4ff2825679835badd44aaa15256638c

  • SHA1

    f67f7fac7368250b8df4d0a9b05408f775fe5f9c

  • SHA256

    691f3e4b532cb3802630762dadc0eb5f894a6b5463ab5723ef67379ef3f9d31f

  • SHA512

    33339d4ca2687a802ae61679bba672f926020fb319794e84bbdc84c3e68c744b8e241784f2ae5daa08ac78f58ca570539cd1ba446ec3ee4315c032937369db5a

Score
10/10
netwirebotnetratstealer

Malware Config

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Begantoda[1].exe
    "C:\Users\Admin\AppData\Local\Temp\Begantoda[1].exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:828
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:2836
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pOwERsHeLl.exe
        "pOwERsHeLl.exe" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Begantoda[1].exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trevorrendo.exe'
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3364

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/828-2-0x0000000073BB0000-0x000000007429E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/828-3-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-5-0x0000000004B60000-0x0000000004B61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-6-0x0000000005100000-0x0000000005101000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-7-0x0000000004C00000-0x0000000004C01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-8-0x0000000004D60000-0x0000000004D61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-9-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-10-0x0000000004E30000-0x0000000004E31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-11-0x0000000004D63000-0x0000000004D65000-memory.dmp

      Filesize

      8KB

      Download

    • memory/828-12-0x0000000004D65000-0x0000000004D66000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-13-0x0000000004D66000-0x0000000004D67000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-14-0x0000000004D67000-0x0000000004D68000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-15-0x0000000004D68000-0x0000000004D69000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-16-0x0000000004D69000-0x0000000004D6F000-memory.dmp

      Filesize

      24KB

      Download

    • memory/828-17-0x0000000005010000-0x000000000501C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2836-19-0x000000000040242D-mapping.dmp

      Download

    • memory/2836-24-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2836-18-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3364-27-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3364-30-0x00000000079F0000-0x00000000079F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3364-23-0x0000000007050000-0x0000000007051000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3364-21-0x0000000073BB0000-0x000000007429E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3364-25-0x0000000004660000-0x0000000004661000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3364-26-0x0000000004662000-0x0000000004663000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3364-20-0x0000000000000000-mapping.dmp

      Download

    • memory/3364-28-0x0000000007680000-0x0000000007681000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3364-29-0x00000000076F0000-0x00000000076F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3364-22-0x0000000004530000-0x0000000004531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3364-31-0x00000000077C0000-0x00000000077C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3364-32-0x0000000007D80000-0x0000000007D81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3364-33-0x00000000080A0000-0x00000000080A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3364-34-0x0000000008D90000-0x0000000008D91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3364-35-0x0000000008D30000-0x0000000008D31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3364-36-0x0000000008E40000-0x0000000008E41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3364-38-0x0000000004663000-0x0000000004664000-memory.dmp

      Filesize

      4KB

      Download