Overview

overview

10

Static

static

Details.exe

windows7_x64

10

Details.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Details.exe

  • Size

    123KB

  • Sample

    211018-nmp36aeden

  • MD5

    a6d253e02a22e26939f3d775ee1127cd

  • SHA1

    a8e827a9c4916a4b85e5e783764173df0dadd116

  • SHA256

    61722636c5cad31d212e7ea1da55d4fde3a7e93fc46f81484dd7597a684a8164

  • SHA512

    dc13d3e6a721cc2673663d0b70fcae92ed2316f4b247039dcdf8e6312a0525fc14209c4c1f860da3d04939095f1f7a912d60b20f0242dbf6ff95bc341eaada82

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

213.152.162.181:5133

184.75.221.171:5133

199.249.230.27:5133

185.103.96.143:5133

185.104.184.43:5133
Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

  • lock_executable

    true

  • mutex

    SeDCqQtm

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    true

Targets

    • Target

      Details.exe

    • Size

      123KB

    • MD5

      a6d253e02a22e26939f3d775ee1127cd

    • SHA1

      a8e827a9c4916a4b85e5e783764173df0dadd116

    • SHA256

      61722636c5cad31d212e7ea1da55d4fde3a7e93fc46f81484dd7597a684a8164

    • SHA512

      dc13d3e6a721cc2673663d0b70fcae92ed2316f4b247039dcdf8e6312a0525fc14209c4c1f860da3d04939095f1f7a912d60b20f0242dbf6ff95bc341eaada82

    Score
    10/10
    netwirebotnetpersistenceratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks