Overview

overview

10

Static

static

a2cfd560eb...7b.exe

windows7-x64

10

a2cfd560eb...7b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    172s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2022 06:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b.exe

  • Size

    784KB

  • MD5

    da62ec3593d48b259a93a8ccf98ac487

  • SHA1

    9cc217b195b5ddb10b068681c41b999a4f42ad32

  • SHA256

    a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b

  • SHA512

    3369fb9af4da2869fbb5e7740bfbeac76860d282e9fcdea2c9abfbafb745edd81feb64e3013e4ae32d967b3b15dcbd32461a847956150dc730830ec28e6db878

Score
10/10
netwirebotnetratstealer

Malware Config

Signatures

  • NetWire RAT payload 1 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b.exe
    "C:\Users\Admin\AppData\Local\Temp\a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b.exe"
    1⤵
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Users\Admin\AppData\Roaming\billingou\billisou.exe
      "C:\Users\Admin\AppData\Roaming\billingou\billisou.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3256
      • C:\Users\Admin\AppData\Roaming\billingou\billisou.exe
        "C:\Users\Admin\AppData\Roaming\billingou\billisou.exe"
        3⤵
        • Executes dropped EXE
        PID:4576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\billingou\billisou.exe
    Filesize

    784KB

    MD5

    da62ec3593d48b259a93a8ccf98ac487

    SHA1

    9cc217b195b5ddb10b068681c41b999a4f42ad32

    SHA256

    a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b

    SHA512

    3369fb9af4da2869fbb5e7740bfbeac76860d282e9fcdea2c9abfbafb745edd81feb64e3013e4ae32d967b3b15dcbd32461a847956150dc730830ec28e6db878

    Download Submit

  • C:\Users\Admin\AppData\Roaming\billingou\billisou.exe
    Filesize

    784KB

    MD5

    da62ec3593d48b259a93a8ccf98ac487

    SHA1

    9cc217b195b5ddb10b068681c41b999a4f42ad32

    SHA256

    a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b

    SHA512

    3369fb9af4da2869fbb5e7740bfbeac76860d282e9fcdea2c9abfbafb745edd81feb64e3013e4ae32d967b3b15dcbd32461a847956150dc730830ec28e6db878

    Download Submit

  • C:\Users\Admin\AppData\Roaming\billingou\billisou.exe
    Filesize

    784KB

    MD5

    da62ec3593d48b259a93a8ccf98ac487

    SHA1

    9cc217b195b5ddb10b068681c41b999a4f42ad32

    SHA256

    a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b

    SHA512

    3369fb9af4da2869fbb5e7740bfbeac76860d282e9fcdea2c9abfbafb745edd81feb64e3013e4ae32d967b3b15dcbd32461a847956150dc730830ec28e6db878

    Download Submit

  • memory/2232-131-0x0000000000400000-0x00000000004CB000-memory.dmp

    Filesize

    812KB

    Download

  • memory/3256-132-0x0000000000000000-mapping.dmp

    Download

  • memory/3256-135-0x0000000000400000-0x00000000004CB000-memory.dmp

    Filesize

    812KB

    Download

  • memory/4576-136-0x0000000000000000-mapping.dmp

    Download

  • memory/4576-138-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download