Overview

overview

10

Static

static

SVR00398488.exe

windows7_x64

10

SVR00398488.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SVR00398488.exe

  • Size

    1.0MB

  • Sample

    220714-g96absabhl

  • MD5

    04659d9e2d0a05eea8e6148f9f2627e8

  • SHA1

    6df8c86fc1932ead13d8510b0951220086145438

  • SHA256

    5c5a3dbeaef130404f996ff4e45c7ff0c9d8cd95b2071338d51af7437f675531

  • SHA512

    525379196c75efefa68796a57b25beabd69bc4bdabe05aaaee3bcba9a548a5dd372e5000494a0dd7fed8f14891345817c5c4f1be1ee52e1b5a2f9c8f803684a7

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

xman2.duckdns.org:4433

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      SVR00398488.exe

    • Size

      1.0MB

    • MD5

      04659d9e2d0a05eea8e6148f9f2627e8

    • SHA1

      6df8c86fc1932ead13d8510b0951220086145438

    • SHA256

      5c5a3dbeaef130404f996ff4e45c7ff0c9d8cd95b2071338d51af7437f675531

    • SHA512

      525379196c75efefa68796a57b25beabd69bc4bdabe05aaaee3bcba9a548a5dd372e5000494a0dd7fed8f14891345817c5c4f1be1ee52e1b5a2f9c8f803684a7

    Score
    10/10
    netwirebotnetratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks