Overview

overview

10

Static

static

P_Order.scr

windows7_x64

10

P_Order.scr

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    P_Order.scr

  • Size

    950KB

  • Sample

    210712-pp57va9hwx

  • MD5

    b26006b1b87f94cae399ace4ed2881a5

  • SHA1

    6326aa07419cec008653284ca9aabe158edb9ce7

  • SHA256

    a163607a059886c8fb885f9054c9afa3103c25cca976ea7ac082e1baf02fcd7c

  • SHA512

    ae92c14038ecb323b97e70e4474881fdb804262dee8f63c8e6c353560d4c8ca3ae69ca3d2dcdd3122171e2223f5e49a56d3621695fb9dd6762da733e47a8c685

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

harold.ns01.info:3606

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    true

  • delete_original

    false

  • host_id

    Ojoko

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    enbSUNvD

  • offline_keylogger

    true

  • password

    master12

  • registry_autorun

    false

  • startup_name

  • use_mutex

    true

Targets

    • Target

      P_Order.scr

    • Size

      950KB

    • MD5

      b26006b1b87f94cae399ace4ed2881a5

    • SHA1

      6326aa07419cec008653284ca9aabe158edb9ce7

    • SHA256

      a163607a059886c8fb885f9054c9afa3103c25cca976ea7ac082e1baf02fcd7c

    • SHA512

      ae92c14038ecb323b97e70e4474881fdb804262dee8f63c8e6c353560d4c8ca3ae69ca3d2dcdd3122171e2223f5e49a56d3621695fb9dd6762da733e47a8c685

    Score
    10/10
    netwirebotnetratstealer

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks