Overview

overview

10

Static

static

7c655182a7...8b.exe

windows7-x64

10

7c655182a7...8b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    45s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2022 08:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c655182a7cef25f6a1c56e50236d38b.exe

  • Size

    46KB

  • MD5

    7c655182a7cef25f6a1c56e50236d38b

  • SHA1

    c45644a60b3f62a84621425d6275725243469b77

  • SHA256

    3b825210b99a016893d31e4590d385c83c9eb7c9152657d5c0997eb08d741800

  • SHA512

    dd8a1bac7ec350fa2e6b22bfd140584f3d44c45a67d4aebf881cd29f389653694c9ca2592a41386a2545f82b6d1f4d3df90e1322d67f9a8a99d2b0032d30ebf6

  • SSDEEP

    768:TbkHaGfhuSDS5PmxxxxxixX0ylUpK9jg+HLr6GbOsKpeQi9c/KYP3hrvGoTr:nGaGpuSDu306Uk9jg+rr6GbOsKpeQiQn

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:3363

212.193.30.230:3362
Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Cantbeme@1

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 9 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c655182a7cef25f6a1c56e50236d38b.exe
    "C:\Users\Admin\AppData\Local\Temp\7c655182a7cef25f6a1c56e50236d38b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
        PID:1652

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1064-54-0x0000000000020000-0x0000000000030000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1064-55-0x0000000075BB1000-0x0000000075BB3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1064-56-0x0000000005E80000-0x000000000609C000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/1652-57-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1652-58-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1652-60-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1652-62-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1652-63-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1652-64-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1652-66-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1652-68-0x000000000040242D-mapping.dmp
      Download
    • memory/1652-67-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1652-71-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1652-72-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1652-73-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download