Overview

overview

10

Static

static

Proof of Payment.exe

windows7_x64

10

Proof of Payment.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Proof of Payment.exe

  • Size

    1.0MB

  • Sample

    211016-h1qc7abgc9

  • MD5

    5ab8ebf954dd5d4a6245fb017314d154

  • SHA1

    b1ae64f01b425f03cd3b8d14783fcf8ad3e8e927

  • SHA256

    05e7ca50d56d74090b76bde141a5decb07f2fe2d8f564bed1ba814ab4cb4ddf4

  • SHA512

    0f93b6f24eaf94c3ce97bf6e8dd5c2ec326f85a1b7e2101029d674963baa33a0fa34ad359b01b33a30ef4e1a0eca5373b3b8fe82c50ac786087239f01cc4443f

Score
10/10
nanocorenetwirebotnetkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

netwire

C2

194.5.98.230:3364

194.5.98.230:3368
Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    high1234

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Targets

    • Target

      Proof of Payment.exe

    • Size

      1.0MB

    • MD5

      5ab8ebf954dd5d4a6245fb017314d154

    • SHA1

      b1ae64f01b425f03cd3b8d14783fcf8ad3e8e927

    • SHA256

      05e7ca50d56d74090b76bde141a5decb07f2fe2d8f564bed1ba814ab4cb4ddf4

    • SHA512

      0f93b6f24eaf94c3ce97bf6e8dd5c2ec326f85a1b7e2101029d674963baa33a0fa34ad359b01b33a30ef4e1a0eca5373b3b8fe82c50ac786087239f01cc4443f

    Score
    10/10
    nanocorenetwirebotnetkeyloggerpersistenceratspywarestealertrojan

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks