Overview

overview

10

Static

static

3f417cc402...04.exe

windows7_x64

10

3f417cc402...04.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    112s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    01-07-2022 02:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f417cc402322ac8717f904400b28d6cd169b133e521a6dd677e3ca441088604.exe

  • Size

    496KB

  • MD5

    3160a283284befd2f59cce3be5341e75

  • SHA1

    1809a6d9c10bbce9b46664d47489995f8940f615

  • SHA256

    3f417cc402322ac8717f904400b28d6cd169b133e521a6dd677e3ca441088604

  • SHA512

    43abc8066702adddc0b7d2914f786b2daa8324ed3254c42a98907639302d9716063ebc6f48b427e064db6770df7f1716dcca2a8ff6534789aa69b0982378edb0

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

fingers1.ddns.net:3360

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Drops startup file 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f417cc402322ac8717f904400b28d6cd169b133e521a6dd677e3ca441088604.exe
    "C:\Users\Admin\AppData\Local\Temp\3f417cc402322ac8717f904400b28d6cd169b133e521a6dd677e3ca441088604.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:332
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qft11vjy\qft11vjy.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92DE.tmp" "c:\Users\Admin\AppData\Local\Temp\qft11vjy\CSC819D68A378E94B3DB964DF6DAA8C2CAF.TMP"
        3⤵
          PID:1412
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        2⤵
          PID:3008

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scripting

      1
      T1064

      Persistence

      Privilege Escalation

      Defense Evasion

      Scripting

      1
      T1064

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RES92DE.tmp
        Filesize

        1KB

        MD5

        4362b5017adc350f1ca0b1d3a17dbc59

        SHA1

        bf779e11c142451a3166e6720401342ceb0e5775

        SHA256

        b290f68689e3f0a0b2882577899e195c5186e0b6710cf20e2e881802886fc8e8

        SHA512

        825e717db1a348c99eff17e2fde42eb9fcd216e908008cdb1c4d7923a10e8690241ce18c62e148c37c3cae2c0f41c716d4a69b57d01c41591690f31d0a101bb8

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\qft11vjy\qft11vjy.dll
        Filesize

        26KB

        MD5

        c4250d1c9ca5614a786381e2c708e8b4

        SHA1

        c8215c1a25f02727f1fbc53b137cd88a8582a2dc

        SHA256

        e9912a2ec908e385c1c5b8b94d83ec96a5acf3bef2e4927528c8f85c444cd877

        SHA512

        1856a66b417d0f1ca42401b01ffe215da65baeebcd9c7622a1fe89c7c5d035ab138a464f673f067810436aead2bd9789c9c182ab4099888b733461d63d0a76c9

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\qft11vjy\qft11vjy.pdb
        Filesize

        85KB

        MD5

        472bf314e4630423498bf978edaeeadc

        SHA1

        5a3435fd83fd36a6ad5c861c63b5734f1b3bd663

        SHA256

        4b1c69d4fcec174ab1ddba84202bb0a895d646c33a6728d912c8e61c25879b44

        SHA512

        f21ad82c6fe0c73b44982be0b54d634e375d86bab154b22055f5351fbb28e7f2efae84af6d953609c4c416c6a5106304de10c13536346f5d5e722ceba6161d95

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\qft11vjy\CSC819D68A378E94B3DB964DF6DAA8C2CAF.TMP
        Filesize

        1KB

        MD5

        bf4b91bf5891d5295a047bc407e811bd

        SHA1

        1d196b4a66f7c7a1f33619b26ec797db89cfa651

        SHA256

        a38f61479ad1d8cc64ec2a447869a45e7a5a9efdf6978833b7b7709b2c6f2290

        SHA512

        342dab89c9697e9b757ad413d06757e8ada2e6681dd2fd328d61818fb638db1cd227d7243e06b52d0e7bcf3f7af44c5befa1b02694a3abb64525666d318c918c

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\qft11vjy\qft11vjy.0.cs
        Filesize

        66KB

        MD5

        36c98e4b49e2b715c0e3a0f982f08c58

        SHA1

        64b078a959f8a3965e18ea7aa6e5d586a0054ce9

        SHA256

        b43826d45019a608dbbbe8017215175f4f45cd730564dd4be031d97dcfcb5f1a

        SHA512

        234a84164bc1cce3c51091c66d90a34597eaa1541724efd17f6e27ad5fb8c7264493d791455fff61074f8c6de8c7f9e47e094e31d2d065f36c7d69f296298503

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\qft11vjy\qft11vjy.cmdline
        Filesize

        312B

        MD5

        7e2c00b91c14382929d8e4b00d6c850b

        SHA1

        b312276bcba60842444f09131e74ba963b431d85

        SHA256

        a1e97e5fdd1ac73cae072d699f48b074630e49cd6ea7a1ca12aaa809825d65ac

        SHA512

        f686c72d1045d51308a4d7e03e3b1da9ebf46b7cde17cf99d6a825655547b3f55c0c5d5f39c1521d882c7c06ba4f8fcfab207393c6c64581a8b7c4e5464c89e7

        Download Submit
      • memory/332-130-0x0000000000230000-0x00000000002B0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/332-139-0x0000000004C30000-0x0000000004CC2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/332-140-0x0000000005370000-0x000000000540C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/1412-134-0x0000000000000000-mapping.dmp
        Download
      • memory/3008-141-0x0000000000000000-mapping.dmp
        Download
      • memory/3008-142-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/3008-144-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/3008-145-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/5056-131-0x0000000000000000-mapping.dmp
        Download