Analysis
-
max time kernel
122s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 00:14
Behavioral task
behavioral1
Sample
7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe
Resource
win7-en-20211208
0 signatures
0 seconds
General
-
Target
7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe
-
Size
89KB
-
MD5
0b1bb3e49dbdc7ebfe81d4d3982275d2
-
SHA1
958f45ab00ac2212c748461ea7860b12e7c8e35e
-
SHA256
7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a
-
SHA512
15ad15a353c379934a75ad56c8955b9ca4b7aa43de4559768c819f486e5df2448dfe3c8479ff799da58bace88abeca45c4fac28ca8ac41f267fdd83ea6cebb04
Malware Config
Extracted
Family
netwire
C2
sgteyor.ddns.net:39888
Attributes
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
Eyor
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Master0147
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
resource yara_rule behavioral1/files/0x0006000000014042-56.dat netwire behavioral1/files/0x0006000000014042-57.dat netwire behavioral1/files/0x0006000000014042-58.dat netwire -
Executes dropped EXE 1 IoCs
pid Process 1588 Host.exe -
Loads dropped DLL 2 IoCs
pid Process 1568 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe 1568 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1568 wrote to memory of 1588 1568 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe 27 PID 1568 wrote to memory of 1588 1568 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe 27 PID 1568 wrote to memory of 1588 1568 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe 27 PID 1568 wrote to memory of 1588 1568 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe"C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"2⤵
- Executes dropped EXE
PID:1588
-