Overview

overview

10

Static

static

Invoice.exe

windows7-x64

10

Invoice.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Invoice.exe

  • Size

    764KB

  • Sample

    220719-hfrqhsechp

  • MD5

    f9794c7a5cc09efda309692ef0f9ef61

  • SHA1

    59939ac14719398d439e99835233187ff7e17512

  • SHA256

    4c93747030e17a8581b15cce2fd3aee28eb12dab9a8ec33839d083cda679487d

  • SHA512

    98539d2058c5145c13140321fec8b251aed184a9a3bcfff1f633265e40e9fa556e5456dbf05b37e594065d376b6215c050bc40ac997595cb5d3c3ba7bf9e71b0

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

194.5.98.126:3378

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Pass@2023

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      Invoice.exe

    • Size

      764KB

    • MD5

      f9794c7a5cc09efda309692ef0f9ef61

    • SHA1

      59939ac14719398d439e99835233187ff7e17512

    • SHA256

      4c93747030e17a8581b15cce2fd3aee28eb12dab9a8ec33839d083cda679487d

    • SHA512

      98539d2058c5145c13140321fec8b251aed184a9a3bcfff1f633265e40e9fa556e5456dbf05b37e594065d376b6215c050bc40ac997595cb5d3c3ba7bf9e71b0

    Score
    10/10
    netwirebotnetratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks