Overview

overview

10

Static

static

8

suspicious.file.exe

windows7_x64

10

suspicious.file.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    suspicious.7z

  • Size

    153KB

  • Sample

    210622-egjfz63ajx

  • MD5

    c17d89accbb49871febfdf9232933eb7

  • SHA1

    fee016c094d77effaa4684b6e7b662cce63a3deb

  • SHA256

    ad11544500a2b130ea4bd8f77a86a65d2c4d08efd6bb80de98a2bb5703cdbb0f

  • SHA512

    2346830d8499d1af164ba14b58f6e5d73cc73e32e53903875cb7539893df112501fa186c2686f1804cb8dd4ad2be797ebc828c27e35ae559271ab17dbd1d897c

Score
10/10
netwirebotnetpersistenceratstealerupx

Malware Config

Extracted

Family

netwire

C2

37.233.101.73:8888

213.152.162.104:8747

213.152.162.170:8747

213.152.162.109:8747

213.152.162.89:8747

109.232.227.138:8747

109.232.227.133:8747

213.152.161.211:8747

213.152.162.94:8747

213.152.161.35:8747

213.152.180.5:8747
Attributes
  • activex_autorun

    true

  • activex_key

    {H15R52OJ-8CJI-H436-22TJ-P25072J3Q326}

  • copy_executable

    true

  • delete_original

    true

  • host_id

    IP

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • mutex

    bmhJQHdn

  • offline_keylogger

    true

  • password

    DAWAJkurwoKASEniePIERDOL

  • registry_autorun

    true

  • startup_name

    NetWire

  • use_mutex

    true

Targets

    • Target

      suspicious.file

    • Size

      161KB

    • MD5

      0255bd3821f28877f068e8d9dc7cc22b

    • SHA1

      73064d0b8d0c9359665d31db4a6e8e19a8d47b87

    • SHA256

      1c7f0b3ab5e64a3a8d2182e10b8c0ab78c63c505273505fc50fc9810962ab83b

    • SHA512

      812ed4fe0d44c67514e808f451e46d5282a8e758e6dbb732e3d8f8d3ddf6223f69bed980792ad0852f66d895f8752328f42a577785c57747391598e915cd30d9

    Score
    10/10
    netwirebotnetpersistenceratstealerupx

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Executes dropped EXE

    • Modifies Installed Components in the registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks