Overview

overview

10

Static

static

35cd99038d...d8.exe

windows7_x64

10

35cd99038d...d8.exe

windows10-2004_x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    35cd99038d9f9a51abcd92e8117746ab2b0b9c591559c298c062178c28ec64d8

  • Size

    924KB

  • Sample

    220626-2zkk4afgf7

  • MD5

    65d5a259fe75b5425640448c01e84c4c

  • SHA1

    545c7343d17d4073831ab11e5d2c5d3c8c28b401

  • SHA256

    35cd99038d9f9a51abcd92e8117746ab2b0b9c591559c298c062178c28ec64d8

  • SHA512

    30a47195e4b6534dc9e273553bd5f63cc0636851c7d82de74695b75b61bc0d851d64c6cbfa33ec00dc37f30482aef2fc15cd70cf15bc767bc65f17a8fc88b608

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

ASKJHDASKDHSHTD.RU:6971

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • mutex

    mqIhDWwE

  • offline_keylogger

    false

  • password

    ppF7"oRyqm

  • registry_autorun

    false

  • use_mutex

    true

Targets

    • Target

      35cd99038d9f9a51abcd92e8117746ab2b0b9c591559c298c062178c28ec64d8

    • Size

      924KB

    • MD5

      65d5a259fe75b5425640448c01e84c4c

    • SHA1

      545c7343d17d4073831ab11e5d2c5d3c8c28b401

    • SHA256

      35cd99038d9f9a51abcd92e8117746ab2b0b9c591559c298c062178c28ec64d8

    • SHA512

      30a47195e4b6534dc9e273553bd5f63cc0636851c7d82de74695b75b61bc0d851d64c6cbfa33ec00dc37f30482aef2fc15cd70cf15bc767bc65f17a8fc88b608

    Score
    10/10
    netwirebotnetpersistenceratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks