Overview

overview

10

Static

static

1

INV004838487834.exe

windows7_x64

10

INV004838487834.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8e41630c4228ef9c201233e720857cc2

  • Size

    1.0MB

  • Sample

    220715-hmsldshde8

  • MD5

    8e41630c4228ef9c201233e720857cc2

  • SHA1

    3d8f28bd9397a9feec5d7171a974e89446d22256

  • SHA256

    0b2307da34cd7d3e16c7ba8e2a7bb29629c26f5acb371ec25e8c087e6befb40c

  • SHA512

    43d0fde16446e8421fda26ed28dd030abfe07b3e7c5760bd62f303ce9d75a4f95b8df5aaa8b74b780a753a514e163f1818ad8405e1c3aaa7342f9ea0a703453e

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

xman2.duckdns.org:4433

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      INV004838487834.exe

    • Size

      937KB

    • MD5

      e66ed4c54276616d0d7dff47d7820d77

    • SHA1

      9e2e3d1c2799bc0b4102a4197a06971c840d86b7

    • SHA256

      40a9555d113e68b6bc5f4b2443ccbd851087c391a1b8ec32b4f30098dbc40ea1

    • SHA512

      46edc6a504d917912afc4d206deb19788e816196dc815e43fba37c5461ab4f2dfe7f31e40dee79ad8e6146eda8df95ba6d2675204c9cdccc5c8f382b8b53d225

    Score
    10/10
    netwirebotnetratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks