Overview

overview

10

Static

static

b6e73311b8...2b.exe

windows7_x64

10

b6e73311b8...2b.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b6e73311b84d9cb907d7f3988b50272f7aacb443d5f96712952ce2dd6ae6102b

  • Size

    1.5MB

  • Sample

    220216-1rz55sefgp

  • MD5

    ff5779e8d7f9aede2acbf785170794a1

  • SHA1

    105ff45ef7217bae048069c14f28f519c482990f

  • SHA256

    b6e73311b84d9cb907d7f3988b50272f7aacb443d5f96712952ce2dd6ae6102b

  • SHA512

    917d34fb99634303bd5fc81d60b012bdba19894138c5910ebc9077543a80c5991888837cd851cbad1f566f96b0fd9898acf43d870e96dd9fafe3662f7b6ad428

Score
10/10
neshtanetwirebotnetpersistenceratspywarestealer

Malware Config

Extracted

Family

netwire

C2

cctv-home.ddns.me:3360

cctv-home.serveftp.com:3360
Attributes
  • activex_autorun

    true

  • activex_key

    {R5Q8L480-V2I5-AA1A-5GR0-RGV5X2101O0D}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    Money

  • install_path

    %AppData%\Microcoft\operas.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    YwkrXNoi

  • offline_keylogger

    true

  • password

    dick

  • registry_autorun

    true

  • startup_name

    BrowsersPriv

  • use_mutex

    true

Targets

    • Target

      b6e73311b84d9cb907d7f3988b50272f7aacb443d5f96712952ce2dd6ae6102b

    • Size

      1.5MB

    • MD5

      ff5779e8d7f9aede2acbf785170794a1

    • SHA1

      105ff45ef7217bae048069c14f28f519c482990f

    • SHA256

      b6e73311b84d9cb907d7f3988b50272f7aacb443d5f96712952ce2dd6ae6102b

    • SHA512

      917d34fb99634303bd5fc81d60b012bdba19894138c5910ebc9077543a80c5991888837cd851cbad1f566f96b0fd9898acf43d870e96dd9fafe3662f7b6ad428

    Score
    10/10
    neshtanetwirebotnetpersistenceratspywarestealer

    • Detect Neshta Payload

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Executes dropped EXE

    • Modifies Installed Components in the registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks