Overview

overview

10

Static

static

5

4309e6dc5f...95.exe

windows10_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    22-07-2021 15:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe

  • Size

    1.1MB

  • MD5

    f2b4a895b2eea85ad655a6d67177d2a1

  • SHA1

    8f558062e5f2dce4cc17bd12ed68602e3e0d7b87

  • SHA256

    4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95

  • SHA512

    e8065c5e721d937b9a185c3fa74f6f4d70f124a4a54b25733783e41c851ed55b9bea4f71571b1a593665584265c723780bf1ca255dc390c695554cb427239be0

Score
10/10
netwirebotnetratstealer

Malware Config

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Drops startup file 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • autoit_exe 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe
    "C:\Users\Admin\AppData\Local\Temp\4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3176
    • C:\Windows\SysWOW64\dllhost.exe
      "C:\Windows\System32\dllhost.exe"
      2⤵
      • Drops file in System32 directory
      PID:4052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3176-127-0x0000000000A80000-0x0000000000BCA000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3176-123-0x0000000000A80000-0x0000000000BCA000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3176-119-0x0000000000A80000-0x0000000000BCA000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3176-118-0x0000000000A80000-0x0000000000BCA000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3176-126-0x0000000000A80000-0x0000000000BCA000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3176-125-0x0000000000A80000-0x0000000000BCA000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3176-120-0x0000000000A80000-0x0000000000BCA000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3176-124-0x0000000000A80000-0x0000000000BCA000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3176-121-0x0000000000A80000-0x0000000000BCA000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3176-129-0x0000000000A80000-0x0000000000BCA000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3176-122-0x0000000000A80000-0x0000000000BCA000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3176-130-0x0000000000A80000-0x0000000000BCA000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3176-128-0x0000000000A80000-0x0000000000BCA000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/4052-114-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/4052-131-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/4052-115-0x00000000004021DA-mapping.dmp
    Download