Overview

overview

10

Static

static

Confirmation slip.exe

windows7-x64

10

Confirmation slip.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Confirmation slip.exe

  • Size

    747KB

  • Sample

    220927-lfbwvadbb4

  • MD5

    96a1edd287967c1c8cb228d5fa138001

  • SHA1

    a7a9024ee3561de8d23cbcc1d4b2d4aa833fd154

  • SHA256

    6e8bf76b6d1f39b8366169c0cd6dc4bee0946973b8f5c64baf7fd1bfd1846731

  • SHA512

    fe42e520d20bbc6d75604967e7d544c490b9f2356c2c73dbd7c111ad583c444cae25d8c61b40ab731ddb01d6e9602d1557a7e780120ea7d3bf9d164f1938f561

  • SSDEEP

    12288:vxDAwgixJr0GHaitiM1u102DZPMqjJ5nt0+9MK:pJrxtiMufFPXjrBe

Score
10/10
netwirebotnetevasionratstealer

Malware Config

Extracted

Family

netwire

C2

104.222.188.99:3360

zonedx.ddns.net:3360

zonedx.ddns.net:3363

104.222.188.99:3363
Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password9090

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      Confirmation slip.exe

    • Size

      747KB

    • MD5

      96a1edd287967c1c8cb228d5fa138001

    • SHA1

      a7a9024ee3561de8d23cbcc1d4b2d4aa833fd154

    • SHA256

      6e8bf76b6d1f39b8366169c0cd6dc4bee0946973b8f5c64baf7fd1bfd1846731

    • SHA512

      fe42e520d20bbc6d75604967e7d544c490b9f2356c2c73dbd7c111ad583c444cae25d8c61b40ab731ddb01d6e9602d1557a7e780120ea7d3bf9d164f1938f561

    • SSDEEP

      12288:vxDAwgixJr0GHaitiM1u102DZPMqjJ5nt0+9MK:pJrxtiMufFPXjrBe

    Score
    10/10
    netwirebotnetevasionratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks