Overview

overview

10

Static

static

D5F2C7C794...73.exe

windows7_x64

10

D5F2C7C794...73.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    D5F2C7C794FCB52DCC2DBA6F4332F373.exe

  • Size

    863KB

  • Sample

    210907-t1c9eachg9

  • MD5

    d5f2c7c794fcb52dcc2dba6f4332f373

  • SHA1

    65edbdeb4ff81560937719c66affcded17d42540

  • SHA256

    f0dbc51745cdb0456cde79039f1119c8362aee6a19b54d9a368c9fe3c3d75f0f

  • SHA512

    4239188bf53ec9e00487357d9ea7831d98b928b5d6bdb8e9460bda12f418584cb22eb3680c49d9f03f61b6fb795d1b617e2a21e0650b40de1678a0ab805b628b

Score
10/10
modiloadernetwirebotnetpersistenceratstealertrojan

Malware Config

Extracted

Family

netwire

C2

185.24.233.14:6080

64.42.179.51:5457

185.103.96.143:5457

91.214.169.69:5457

213.152.161.239:5457

104.254.90.235:5457
Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

    OSEX\

  • lock_executable

    true

  • mutex

    PTgfSODX

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    true

Targets

    • Target

      D5F2C7C794FCB52DCC2DBA6F4332F373.exe

    • Size

      863KB

    • MD5

      d5f2c7c794fcb52dcc2dba6f4332f373

    • SHA1

      65edbdeb4ff81560937719c66affcded17d42540

    • SHA256

      f0dbc51745cdb0456cde79039f1119c8362aee6a19b54d9a368c9fe3c3d75f0f

    • SHA512

      4239188bf53ec9e00487357d9ea7831d98b928b5d6bdb8e9460bda12f418584cb22eb3680c49d9f03f61b6fb795d1b617e2a21e0650b40de1678a0ab805b628b

    Score
    10/10
    netwirebotnetpersistenceratstealermodiloadertrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks