Overview

overview

10

Static

static

10

Host.bin.exe

windows7_x64

10

Host.bin.exe

windows10_x64

10

Analysis

  • max time kernel
    1713s
  • max time network
    1754s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    23-06-2021 21:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Host.bin.exe

  • Size

    160KB

  • MD5

    cf67f5a6456cb27efb88ec441c1b121b

  • SHA1

    8bf4c0a06df97dba8ced5fdb504982c365044597

  • SHA256

    f54b2f764ed7112c3a11adf056a54b8646f23093fbc52ce0e07a184f5dd69fcc

  • SHA512

    117f55a6a3d5be6c186d71ff03064cde75d31f0859957b821d6de98b4208c24fc13aadfe60e2fe5f721360d7aff5451d016c38ef04592124af40baeb2333d8f7

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

82.156.233.85:80

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    true

  • delete_original

    true

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

  • lock_executable

    true

  • mutex

  • offline_keylogger

    false

  • password

    bupt

  • registry_autorun

    true

  • startup_name

    NetWire

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Host.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Host.bin.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe" -m "C:\Users\Admin\AppData\Local\Temp\Host.bin.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:1100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    MD5

    cf67f5a6456cb27efb88ec441c1b121b

    SHA1

    8bf4c0a06df97dba8ced5fdb504982c365044597

    SHA256

    f54b2f764ed7112c3a11adf056a54b8646f23093fbc52ce0e07a184f5dd69fcc

    SHA512

    117f55a6a3d5be6c186d71ff03064cde75d31f0859957b821d6de98b4208c24fc13aadfe60e2fe5f721360d7aff5451d016c38ef04592124af40baeb2333d8f7

    Download Submit
  • \Users\Admin\AppData\Roaming\Install\Host.exe
    MD5

    cf67f5a6456cb27efb88ec441c1b121b

    SHA1

    8bf4c0a06df97dba8ced5fdb504982c365044597

    SHA256

    f54b2f764ed7112c3a11adf056a54b8646f23093fbc52ce0e07a184f5dd69fcc

    SHA512

    117f55a6a3d5be6c186d71ff03064cde75d31f0859957b821d6de98b4208c24fc13aadfe60e2fe5f721360d7aff5451d016c38ef04592124af40baeb2333d8f7

    Download Submit
  • \Users\Admin\AppData\Roaming\Install\Host.exe
    MD5

    cf67f5a6456cb27efb88ec441c1b121b

    SHA1

    8bf4c0a06df97dba8ced5fdb504982c365044597

    SHA256

    f54b2f764ed7112c3a11adf056a54b8646f23093fbc52ce0e07a184f5dd69fcc

    SHA512

    117f55a6a3d5be6c186d71ff03064cde75d31f0859957b821d6de98b4208c24fc13aadfe60e2fe5f721360d7aff5451d016c38ef04592124af40baeb2333d8f7

    Download Submit
  • memory/1100-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1652-59-0x0000000075411000-0x0000000075413000-memory.dmp
    Filesize

    8KB

    Download