Overview

overview

10

Static

static

Absa.exe

windows7_x64

10

Absa.exe

windows10_x64

8

Analysis

  • max time kernel
    33s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    22-04-2021 06:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Absa.exe

  • Size

    1.1MB

  • MD5

    543b483edf1e71d19b7e2ca64ce9e2d9

  • SHA1

    9c91f6bf2f7d23f288119d95999e107308151f8a

  • SHA256

    71bb1f2e0a1aecf13985a354d05fb522c85746e08a01a858a4473237a96e85fd

  • SHA512

    b0f2111e1a7c6977548b983cfb1abc92b9d2690d04d7c85ef0cde35b869fcac9666163821212088dc90a5afb1c533adf69d7bbc53939caea6996a6187a9006a7

Score
10/10
nanocorenetwirebotnetkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

netwire

C2

194.5.97.181:3383

194.5.97.181:3385
Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    London@1961

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Absa.exe
    "C:\Users\Admin\AppData\Local\Temp\Absa.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Users\Admin\59622800\wlxuupkxco.pif
      "C:\Users\Admin\59622800\wlxuupkxco.pif" kkffmheei.hhq
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:516
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:792

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\59622800\kkffmheei.hhq
      MD5

      4676eded8ee04e1415e80b0fc16c9936

      SHA1

      1a1750fb869ef004ee77d52ac32d487556b39e56

      SHA256

      8a9beecd1526fad1f7667c35bc9210fae014581d558338368a0eaab2af3842d7

      SHA512

      3548de4ff048cf4a79895e9399ceac3d7e4874c5d9129bc1900a33423a833a9030aae77bb2234ec64debced3487eeb0eb7a84959ab69cec10460c1a9e9abf6b9

      Download Submit

    • C:\Users\Admin\59622800\wgrqinhn.pdf
      MD5

      dab594f358a04f4d32b6665900dad494

      SHA1

      2afc7733985ba9806a93f874f53826b4b8845ccf

      SHA256

      c9297b1510acf5a497e165884a6b56b5cd22809562f20bb0835e09674cfacd0a

      SHA512

      dd1b2c1d1b31476022ac31e9dc4af812ee73c82fc52a5544f8736c339494517de72a123575a92ac6a8a3483f4166adc697516b1c13ada3236111ae36c5b9f36c

      Download Submit

    • C:\Users\Admin\59622800\wlxuupkxco.pif
      MD5

      8697c9cc411d42f598243797c53bae95

      SHA1

      efa1efb4b5e463d42d6f496883297b7a47c23796

      SHA256

      be731b853d1752b83706346f2256d4f2d9e39207f066a0c6876044229b784a8d

      SHA512

      7982891c8dd3b41e2466f183377f6533981f7d3807eb40105ca996ad080420250fde54ab0710c8cc1adf7a453cc769683e0dff93b825fb7d486cd8bf739c784a

      Download Submit

    • \Users\Admin\59622800\wlxuupkxco.pif
      MD5

      8697c9cc411d42f598243797c53bae95

      SHA1

      efa1efb4b5e463d42d6f496883297b7a47c23796

      SHA256

      be731b853d1752b83706346f2256d4f2d9e39207f066a0c6876044229b784a8d

      SHA512

      7982891c8dd3b41e2466f183377f6533981f7d3807eb40105ca996ad080420250fde54ab0710c8cc1adf7a453cc769683e0dff93b825fb7d486cd8bf739c784a

      Download Submit

    • \Users\Admin\59622800\wlxuupkxco.pif
      MD5

      8697c9cc411d42f598243797c53bae95

      SHA1

      efa1efb4b5e463d42d6f496883297b7a47c23796

      SHA256

      be731b853d1752b83706346f2256d4f2d9e39207f066a0c6876044229b784a8d

      SHA512

      7982891c8dd3b41e2466f183377f6533981f7d3807eb40105ca996ad080420250fde54ab0710c8cc1adf7a453cc769683e0dff93b825fb7d486cd8bf739c784a

      Download Submit

    • \Users\Admin\59622800\wlxuupkxco.pif
      MD5

      8697c9cc411d42f598243797c53bae95

      SHA1

      efa1efb4b5e463d42d6f496883297b7a47c23796

      SHA256

      be731b853d1752b83706346f2256d4f2d9e39207f066a0c6876044229b784a8d

      SHA512

      7982891c8dd3b41e2466f183377f6533981f7d3807eb40105ca996ad080420250fde54ab0710c8cc1adf7a453cc769683e0dff93b825fb7d486cd8bf739c784a

      Download Submit

    • \Users\Admin\59622800\wlxuupkxco.pif
      MD5

      8697c9cc411d42f598243797c53bae95

      SHA1

      efa1efb4b5e463d42d6f496883297b7a47c23796

      SHA256

      be731b853d1752b83706346f2256d4f2d9e39207f066a0c6876044229b784a8d

      SHA512

      7982891c8dd3b41e2466f183377f6533981f7d3807eb40105ca996ad080420250fde54ab0710c8cc1adf7a453cc769683e0dff93b825fb7d486cd8bf739c784a

      Download Submit

    • memory/516-65-0x0000000000000000-mapping.dmp

      Download

    • memory/792-70-0x0000000000240000-0x0000000000869000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/792-71-0x000000000024242D-mapping.dmp

      Download

    • memory/792-73-0x0000000000240000-0x0000000000869000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1948-60-0x0000000075511000-0x0000000075513000-memory.dmp

      Filesize

      8KB

      Download