Overview

overview

10

Static

static

b58c2b3f5f...in.exe

windows7_x64

10

b58c2b3f5f...in.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin

  • Size

    256KB

  • Sample

    210719-knzwljlzz2

  • MD5

    3982c9643ff47aa981a446f679e332f8

  • SHA1

    c9baff1bac6e99aa18a56532ed851c896cb5d5c9

  • SHA256

    b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082

  • SHA512

    c226600764a1f3e1fb57e96e1df966cb232f29b23aefabb7f189b6952f7e5a6c8b6a5442b29b4ff72d2b87c06a53c2ca7766e5f609d7450ac85e8211a7a6cf7f

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

chrisle79.ddns.net:4414

jacknop79.ddns.net:4414

smath79.ddns.net:4414

whatis79.ddns.net:4414

goodgt79.ddns.net:4414

bonding79.ddns.net:4414
Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    June 2021

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    Password2$

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Targets

    • Target

      b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin

    • Size

      256KB

    • MD5

      3982c9643ff47aa981a446f679e332f8

    • SHA1

      c9baff1bac6e99aa18a56532ed851c896cb5d5c9

    • SHA256

      b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082

    • SHA512

      c226600764a1f3e1fb57e96e1df966cb232f29b23aefabb7f189b6952f7e5a6c8b6a5442b29b4ff72d2b87c06a53c2ca7766e5f609d7450ac85e8211a7a6cf7f

    Score
    10/10
    netwirebotnetpersistenceratstealer

    • Modifies WinLogon for persistence

      persistence

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks