Overview

overview

10

Static

static

4a157f302b...af.exe

windows7_x64

10

4a157f302b...af.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-07-2022 14:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a157f302bd6afd4079720dbc7028a8caae9b2d2b192ee4f4a6915dec94cd5af.exe

  • Size

    648KB

  • MD5

    7c958c25fd6e816da044bcd23f37940a

  • SHA1

    e95cf0c3d58448cf0e9ff8b53ca6ecff10a81246

  • SHA256

    4a157f302bd6afd4079720dbc7028a8caae9b2d2b192ee4f4a6915dec94cd5af

  • SHA512

    08f22b747697c3060f14834c321203c7eacdbe1f053dbe3044a3810a030ba9da26746b64d3ed956741fa5465c868b0d00d692c89a2538d038d973fb43a072724

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

ggggg.ddns.net:3360

boow.ddns.net:3360
Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    true

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • mutex

    OnVjhkkv

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    true

  • startup_name

    NetWire

  • use_mutex

    true

Signatures

  • NetWire RAT payload 7 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a157f302bd6afd4079720dbc7028a8caae9b2d2b192ee4f4a6915dec94cd5af.exe
    "C:\Users\Admin\AppData\Local\Temp\4a157f302bd6afd4079720dbc7028a8caae9b2d2b192ee4f4a6915dec94cd5af.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Users\Admin\AppData\Local\Temp\4a157f302bd6afd4079720dbc7028a8caae9b2d2b192ee4f4a6915dec94cd5af.exe
      "C:\Users\Admin\AppData\Local\Temp\4a157f302bd6afd4079720dbc7028a8caae9b2d2b192ee4f4a6915dec94cd5af.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4916
      • C:\Users\Admin\AppData\Roaming\Install\Host.exe
        -m "C:\Users\Admin\AppData\Local\Temp\4a157f302bd6afd4079720dbc7028a8caae9b2d2b192ee4f4a6915dec94cd5af.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          -m "C:\Users\Admin\AppData\Local\Temp\4a157f302bd6afd4079720dbc7028a8caae9b2d2b192ee4f4a6915dec94cd5af.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          PID:4436

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    648KB

    MD5

    7c958c25fd6e816da044bcd23f37940a

    SHA1

    e95cf0c3d58448cf0e9ff8b53ca6ecff10a81246

    SHA256

    4a157f302bd6afd4079720dbc7028a8caae9b2d2b192ee4f4a6915dec94cd5af

    SHA512

    08f22b747697c3060f14834c321203c7eacdbe1f053dbe3044a3810a030ba9da26746b64d3ed956741fa5465c868b0d00d692c89a2538d038d973fb43a072724

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    648KB

    MD5

    7c958c25fd6e816da044bcd23f37940a

    SHA1

    e95cf0c3d58448cf0e9ff8b53ca6ecff10a81246

    SHA256

    4a157f302bd6afd4079720dbc7028a8caae9b2d2b192ee4f4a6915dec94cd5af

    SHA512

    08f22b747697c3060f14834c321203c7eacdbe1f053dbe3044a3810a030ba9da26746b64d3ed956741fa5465c868b0d00d692c89a2538d038d973fb43a072724

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    648KB

    MD5

    7c958c25fd6e816da044bcd23f37940a

    SHA1

    e95cf0c3d58448cf0e9ff8b53ca6ecff10a81246

    SHA256

    4a157f302bd6afd4079720dbc7028a8caae9b2d2b192ee4f4a6915dec94cd5af

    SHA512

    08f22b747697c3060f14834c321203c7eacdbe1f053dbe3044a3810a030ba9da26746b64d3ed956741fa5465c868b0d00d692c89a2538d038d973fb43a072724

    Download Submit

  • memory/1008-135-0x0000000000780000-0x0000000000786000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1008-132-0x0000000000780000-0x0000000000786000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2660-138-0x0000000000000000-mapping.dmp

    Download

  • memory/4436-143-0x0000000000000000-mapping.dmp

    Download

  • memory/4436-147-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4436-148-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4916-136-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4916-137-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4916-134-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4916-133-0x0000000000000000-mapping.dmp

    Download