Overview

overview

10

Static

static

3f7e5239a3...d2.exe

windows7_x64

10

3f7e5239a3...d2.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2

  • Size

    245KB

  • Sample

    220701-bs6xmsecal

  • MD5

    0eee0f4cc5461af94ac39590ea0b8ac9

  • SHA1

    9072cb614aef5c9c2d38d2846bb3c625a9f65ecb

  • SHA256

    3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2

  • SHA512

    2e926acde54ef8bf3f4ad0cb21ed6487c614fdee49be63190a9a8436db54d8d9df617ad2babf886df5af8ecb056e6b54d97e2d4ab43d11d5978748be8e8cb1ec

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

netzirecolq.gleeze.com:3372

Attributes
  • activex_autorun

    true

  • activex_key

    {ILC0D6DW-314A-58FX-3U05-C35QOA66D730}

  • copy_executable

    false

  • delete_original

    true

  • host_id

    3372

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • mutex

    fCnYKSgn

  • offline_keylogger

    true

  • password

    10203010Aa

  • registry_autorun

    true

  • startup_name

    Defender

  • use_mutex

    true

Targets

    • Target

      3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2

    • Size

      245KB

    • MD5

      0eee0f4cc5461af94ac39590ea0b8ac9

    • SHA1

      9072cb614aef5c9c2d38d2846bb3c625a9f65ecb

    • SHA256

      3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2

    • SHA512

      2e926acde54ef8bf3f4ad0cb21ed6487c614fdee49be63190a9a8436db54d8d9df617ad2babf886df5af8ecb056e6b54d97e2d4ab43d11d5978748be8e8cb1ec

    Score
    10/10
    netwirebotnetpersistenceratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Modifies Installed Components in the registry

      persistence

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks