Overview

overview

10

Static

static

3412783f63...e4.exe

windows7_x64

10

3412783f63...e4.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    30-06-2022 19:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3412783f631651f6a1fa26aa89a68728d03076caf467afb20e822c20d9689ce4.exe

  • Size

    226KB

  • MD5

    aaba0aeb767328afc2bbb76bfbb19297

  • SHA1

    8ba930891e1c8834303ebbdf2261703f5050e9f7

  • SHA256

    3412783f631651f6a1fa26aa89a68728d03076caf467afb20e822c20d9689ce4

  • SHA512

    b5f3395cdacdf6c4b42976c016711fa162ccf56f86f1402d1b7c82d011297e99824208b4d6bf96eeda82b864542c4e2c0a93a684fdab43b85656a39b2f0d4390

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

genlast.giize.com:1604

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 8 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3412783f631651f6a1fa26aa89a68728d03076caf467afb20e822c20d9689ce4.exe
    "C:\Users\Admin\AppData\Local\Temp\3412783f631651f6a1fa26aa89a68728d03076caf467afb20e822c20d9689ce4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
      "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\3412783f631651f6a1fa26aa89a68728d03076caf467afb20e822c20d9689ce4.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VesjTeimsSjxssxw.exe'
      2⤵
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:932
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
        PID:2036

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/784-54-0x0000000000840000-0x000000000087E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/784-55-0x0000000000420000-0x000000000045C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/784-56-0x0000000075701000-0x0000000075703000-memory.dmp

      Filesize

      8KB

      Download

    • memory/784-60-0x0000000000570000-0x0000000000584000-memory.dmp

      Filesize

      80KB

      Download

    • memory/784-76-0x0000000004935000-0x0000000004946000-memory.dmp

      Filesize

      68KB

      Download

    • memory/932-57-0x0000000000000000-mapping.dmp

      Download

    • memory/932-59-0x000000006F140000-0x000000006F6EB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2036-64-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2036-62-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2036-66-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2036-67-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2036-68-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2036-70-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2036-71-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2036-72-0x000000000040242D-mapping.dmp

      Download

    • memory/2036-75-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2036-61-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2036-77-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download