Overview

overview

10

Static

static

Rydpgfedij...ob.exe

windows7_x64

10

Rydpgfedij...ob.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Details_File_Copy.cab

  • Size

    478KB

  • Sample

    210930-vv5xxaabh9

  • MD5

    5bad449ab20c14bd008b1d1c86b81a1c

  • SHA1

    95b367245d4c16ae5dd79fd017f8518adbc0eaa9

  • SHA256

    aee76315f0e7c2b898a7a187e7b7f4f7b454d474f82227acd6d97ddd92ce50cf

  • SHA512

    f6d54db8fe14286889281be48841d924ea0fa79886c88388ddc51c50cb2b2695148fb9d99c6e09138e901a5b4ddff65f88e765f3cd713dbf80aabb5e5dff793c

Score
10/10
netwirexmrigbotnetminerpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

213.152.162.181:5133

184.75.221.171:5133

199.249.230.27:5133

185.103.96.143:5133

185.104.184.43:5133
Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

  • lock_executable

    true

  • mutex

    SeDCqQtm

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    true

Targets

    • Target

      Rydpgfedijfrhoakhqtcjqisumduwxfmob.exe

    • Size

      901KB

    • MD5

      4ce09ea5a6a283048005cabca2955c0e

    • SHA1

      19e45ffb02a59bc111e22e7accb9140d364f7821

    • SHA256

      0930c77f216e3647b652770d81a3e83b2fe738477ca3373e0470f4fc7dba9e24

    • SHA512

      5bcd5e81defe5c6127940009d3fe3f1d7ec1e6929cf4a09cb1bd54cb5f6e5b0fbfdddc1506960157d1c1f818c3669c725e7f1ff093f4b10a2bd1a5b847cda4bc

    Score
    10/10
    netwirebotnetpersistenceratstealerxmrigminer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks