Overview

overview

10

Static

static

5a13433353...26.exe

windows7-x64

5

5a13433353...26.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2022 01:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a13433353954864e671bf5d8ec247da4fc94f89d81469e5e13993b71125a326.exe

  • Size

    1002KB

  • MD5

    69da18e4bcdad84f3233a2953f7aaf98

  • SHA1

    7a7b87d3dcede30f192e3929b0412a89c9da58ee

  • SHA256

    5a13433353954864e671bf5d8ec247da4fc94f89d81469e5e13993b71125a326

  • SHA512

    d995c316f9513a0998e8154077bc01859cc271fb9aa3f1493714da0cd1d776ac645c9eca6dc1511ef1093031fc9fa07025064d49ebc4d99c9f4cbe69fbb32f29

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

systool.sytes.net:4007

uploadp3p.publicvm.com:4007
Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    NeWYeaR-%Rand%

  • install_path

    %AppData%\System32\svhosts.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • mutex

    LCNLrCMr

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    true

Signatures

  • NetWire RAT payload 1 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a13433353954864e671bf5d8ec247da4fc94f89d81469e5e13993b71125a326.exe
    "C:\Users\Admin\AppData\Local\Temp\5a13433353954864e671bf5d8ec247da4fc94f89d81469e5e13993b71125a326.exe"
    1⤵
    • Drops startup file
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5052
    • C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\SysWOW64\msiexec.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Users\Admin\AppData\Roaming\System32\svhosts.exe
        "C:\Users\Admin\AppData\Roaming\System32\svhosts.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\RzSynapse.exe
    Filesize

    1002KB

    MD5

    69da18e4bcdad84f3233a2953f7aaf98

    SHA1

    7a7b87d3dcede30f192e3929b0412a89c9da58ee

    SHA256

    5a13433353954864e671bf5d8ec247da4fc94f89d81469e5e13993b71125a326

    SHA512

    d995c316f9513a0998e8154077bc01859cc271fb9aa3f1493714da0cd1d776ac645c9eca6dc1511ef1093031fc9fa07025064d49ebc4d99c9f4cbe69fbb32f29

    Download Submit

  • C:\Users\Admin\AppData\Roaming\System32\svhosts.exe
    Filesize

    1002KB

    MD5

    69da18e4bcdad84f3233a2953f7aaf98

    SHA1

    7a7b87d3dcede30f192e3929b0412a89c9da58ee

    SHA256

    5a13433353954864e671bf5d8ec247da4fc94f89d81469e5e13993b71125a326

    SHA512

    d995c316f9513a0998e8154077bc01859cc271fb9aa3f1493714da0cd1d776ac645c9eca6dc1511ef1093031fc9fa07025064d49ebc4d99c9f4cbe69fbb32f29

    Download Submit

  • C:\Users\Admin\AppData\Roaming\System32\svhosts.exe
    Filesize

    1002KB

    MD5

    69da18e4bcdad84f3233a2953f7aaf98

    SHA1

    7a7b87d3dcede30f192e3929b0412a89c9da58ee

    SHA256

    5a13433353954864e671bf5d8ec247da4fc94f89d81469e5e13993b71125a326

    SHA512

    d995c316f9513a0998e8154077bc01859cc271fb9aa3f1493714da0cd1d776ac645c9eca6dc1511ef1093031fc9fa07025064d49ebc4d99c9f4cbe69fbb32f29

    Download Submit

  • memory/4448-139-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/4824-137-0x0000000000000000-mapping.dmp

    Download

  • memory/5052-130-0x0000000000B00000-0x0000000000C00000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/5052-131-0x0000000005630000-0x00000000056CC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/5052-132-0x0000000005C80000-0x0000000006224000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5052-133-0x00000000056D0000-0x0000000005762000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5052-134-0x0000000005590000-0x000000000559A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5052-135-0x0000000005860000-0x00000000058B6000-memory.dmp

    Filesize

    344KB

    Download