Overview

overview

10

Static

static

Product_Or...08.exe

windows7-x64

10

Product_Or...08.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9852b6d615cc6d7e5e61044d3cb167bff5bcc528ba0dcb6de4e39de6105d5e42

  • Size

    296KB

  • Sample

    221023-nz9nbsaah4

  • MD5

    2680530026f1eae5f230636b6d4d6ef9

  • SHA1

    3be7cfcdbd6318fa79809138fac13eaa074f81fd

  • SHA256

    9852b6d615cc6d7e5e61044d3cb167bff5bcc528ba0dcb6de4e39de6105d5e42

  • SHA512

    0ab0bd00d80d02088fdb8cbeaa645bd34fc6d4875bc8fc0513075b969db3644878b9570165a4f7d58a2cb61521590f758400c5ec5173922aab3a6e8bca980c68

  • SSDEEP

    6144:E0fJ35AAkTIoVOVP8YWNhQ9wDPRrz7sn1k2Q8ik1qdMgZkdz8ne54XSFNMVZs:E0fJ352gZ8JNySDPx+22F1OhQ8e54YMI

Score
10/10
netwirebotnetpersistenceratstealerupx

Malware Config

Extracted

Family

netwire

C2

franrnar.com.tw:1009

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    true

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Microsoft\windows\explorer.exe

  • keylogger_dir

    %AppData%\Microsoft\windows\Logs\

  • lock_executable

    true

  • mutex

    LqICFQGC

  • offline_keylogger

    true

  • password

    GetTheFuckOFf

  • registry_autorun

    true

  • startup_name

    iexplorer

  • use_mutex

    true

Targets

    • Target

      Product_Order_Quotation_X1208.exe

    • Size

      322KB

    • MD5

      709714b4261957287537f7f78e6dbdfb

    • SHA1

      82f2efbbf0c86913932567caf70ae6f66665bec9

    • SHA256

      72c3b0ef24972aa0269b5084d27257fa83229ddca82ae020de2194e9ed7cbb0f

    • SHA512

      e969eba70b15e3b346931a5f812f38c20be028b30cc2512d1410d2cbdabd0664d3e9d3a56b6cd83f4e0b88ac66cb5326802d2c0a831deb138ee64b8586141601

    • SSDEEP

      6144:my1lpFvAAkTIo9OVP8YW5hQ9wDdRrz7sn1q0eop5MvuMpGxByK/tdA8F8Tz:mAn2oZ8J5ySDdx+sySvfi0GTA8F8Tz

    Score
    10/10
    netwirebotnetratstealerupxpersistence

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks