Overview

overview

10

Static

static

e0fbcfe122...e2.exe

windows7-x64

10

e0fbcfe122...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    46s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 00:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e0fbcfe1224dc424aad75f66af776528917400202aa946d7ad2c85e2339c79e2.exe

  • Size

    270KB

  • MD5

    5d267f53327a67de1acddf9266224155

  • SHA1

    8b1451eedc01931df48531127839617942df9461

  • SHA256

    e0fbcfe1224dc424aad75f66af776528917400202aa946d7ad2c85e2339c79e2

  • SHA512

    6e78ee956342847c18c44de7274e46d7e7ea0bb801360f05af25b7e9d094b85bac54f5718d38d225581d942de63ac8ffaeb8ef41ef9e1cfc5bcbb18c44dbe5af

  • SSDEEP

    6144:KJn2R2tg1G/joO7pAsnAAAAAA5r5f7T0jxaQbRbO194v5vQ73ABNAAAA82R9eT:KJW2tK2H7pAsnAAAAAAjkaQtbOMv5vQJ

Score
10/10
netwirebotnetratstealer

Malware Config

Signatures

  • NetWire RAT payload 5 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e0fbcfe1224dc424aad75f66af776528917400202aa946d7ad2c85e2339c79e2.exe
    "C:\Users\Admin\AppData\Local\Temp\e0fbcfe1224dc424aad75f66af776528917400202aa946d7ad2c85e2339c79e2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:568
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:996
        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          -m "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
          4⤵
          • Executes dropped EXE
          PID:1156
  • C:\Windows\System32\msdtc.exe
    C:\Windows\System32\msdtc.exe
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    PID:1280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    32KB

    MD5

    d79f070423fdd3f01ce8c2ba3fbbc8ed

    SHA1

    2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

    SHA256

    97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

    SHA512

    47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    32KB

    MD5

    d79f070423fdd3f01ce8c2ba3fbbc8ed

    SHA1

    2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

    SHA256

    97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

    SHA512

    47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

    Download Submit
  • \Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    32KB

    MD5

    d79f070423fdd3f01ce8c2ba3fbbc8ed

    SHA1

    2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

    SHA256

    97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

    SHA512

    47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

    Download Submit
  • memory/568-80-0x0000000074850000-0x0000000074DFB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/568-56-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/568-57-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/568-59-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/568-61-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/568-63-0x00000000004273EE-mapping.dmp
    Download
  • memory/568-62-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/568-67-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/568-65-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/996-78-0x0000000000402196-mapping.dmp
    Download
  • memory/996-85-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/996-75-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/996-71-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/996-77-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/996-70-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/996-82-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/996-73-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1156-84-0x0000000000000000-mapping.dmp
    Download
  • memory/1156-89-0x0000000074800000-0x0000000074DAB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1156-90-0x0000000074800000-0x0000000074DAB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1444-69-0x0000000074850000-0x0000000074DFB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1444-54-0x0000000075D71000-0x0000000075D73000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1444-55-0x0000000074850000-0x0000000074DFB000-memory.dmp
    Filesize

    5.7MB

    Download