Overview

overview

10

Static

static

RO11039484.exe

windows7_x64

10

RO11039484.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RO11039484.exe

  • Size

    814KB

  • Sample

    220714-hbtz3sdcg8

  • MD5

    0ad0c3b353974a1ca9fc7343bd53c89c

  • SHA1

    17432c1edf7183f5c6567502b2ae7b5e188fc3db

  • SHA256

    9e5791d56ab1616fd28086994b3b2acc5b6f4af9c1ebfd78966a56fcc2780635

  • SHA512

    f80ffe2eafc868ab80d143baf292063bb13f4b6ee0cee889624ef49edde42a5601ace81ee8f5e85d06dffc882521be592999270b694cd3fa5523aef5f32a843d

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

xman2.duckdns.org:4433

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      RO11039484.exe

    • Size

      814KB

    • MD5

      0ad0c3b353974a1ca9fc7343bd53c89c

    • SHA1

      17432c1edf7183f5c6567502b2ae7b5e188fc3db

    • SHA256

      9e5791d56ab1616fd28086994b3b2acc5b6f4af9c1ebfd78966a56fcc2780635

    • SHA512

      f80ffe2eafc868ab80d143baf292063bb13f4b6ee0cee889624ef49edde42a5601ace81ee8f5e85d06dffc882521be592999270b694cd3fa5523aef5f32a843d

    Score
    10/10
    netwirebotnetratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks