Overview

overview

10

Static

static

709135163d...66.exe

windows7-x64

10

709135163d...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2022 12:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe

  • Size

    628KB

  • MD5

    c12e964ba585f9a9857075b8eb65d76b

  • SHA1

    1add8089079732146f8488279366e0edbb642dea

  • SHA256

    709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66

  • SHA512

    8f6cd53cb37b42a5078cd7a3488f2209e88b135a94dd0684a6f8d24417f389070b67ecb74e801dd3ff3392cd1e956e8ad32120fca6cdb36c8a7a9e23ee8e06f2

  • SSDEEP

    12288:Z25oGFLgYE9jz/Y3GTG8LKa+pCxBU2wgWD1+KjLQZ3Ntkf4VTqKlA7yTE:0VFEYE9XA3GnLtRWD1W3sf4V+Xk

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

mamaput.duckdns.org:3369

Attributes
  • activex_autorun

    true

  • activex_key

    {BF4QBRQX-XB5B-3NJ1-P10G-U11UC07H0K2W}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    winwin

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    gbam1234

  • registry_autorun

    true

  • startup_name

    NetWire

  • use_mutex

    false

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe
    "C:\Users\Admin\AppData\Local\Temp\709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Users\Admin\AppData\Local\Temp\709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe
      C:\Users\Admin\AppData\Local\Temp\709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1376
      • C:\Users\Admin\AppData\Roaming\Install\Host.exe
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:544
        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          C:\Users\Admin\AppData\Roaming\Install\Host.exe"
          4⤵
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          PID:560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    628KB

    MD5

    c12e964ba585f9a9857075b8eb65d76b

    SHA1

    1add8089079732146f8488279366e0edbb642dea

    SHA256

    709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66

    SHA512

    8f6cd53cb37b42a5078cd7a3488f2209e88b135a94dd0684a6f8d24417f389070b67ecb74e801dd3ff3392cd1e956e8ad32120fca6cdb36c8a7a9e23ee8e06f2

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    628KB

    MD5

    c12e964ba585f9a9857075b8eb65d76b

    SHA1

    1add8089079732146f8488279366e0edbb642dea

    SHA256

    709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66

    SHA512

    8f6cd53cb37b42a5078cd7a3488f2209e88b135a94dd0684a6f8d24417f389070b67ecb74e801dd3ff3392cd1e956e8ad32120fca6cdb36c8a7a9e23ee8e06f2

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    628KB

    MD5

    c12e964ba585f9a9857075b8eb65d76b

    SHA1

    1add8089079732146f8488279366e0edbb642dea

    SHA256

    709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66

    SHA512

    8f6cd53cb37b42a5078cd7a3488f2209e88b135a94dd0684a6f8d24417f389070b67ecb74e801dd3ff3392cd1e956e8ad32120fca6cdb36c8a7a9e23ee8e06f2

    Download Submit
  • \Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    628KB

    MD5

    c12e964ba585f9a9857075b8eb65d76b

    SHA1

    1add8089079732146f8488279366e0edbb642dea

    SHA256

    709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66

    SHA512

    8f6cd53cb37b42a5078cd7a3488f2209e88b135a94dd0684a6f8d24417f389070b67ecb74e801dd3ff3392cd1e956e8ad32120fca6cdb36c8a7a9e23ee8e06f2

    Download Submit
  • \Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    628KB

    MD5

    c12e964ba585f9a9857075b8eb65d76b

    SHA1

    1add8089079732146f8488279366e0edbb642dea

    SHA256

    709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66

    SHA512

    8f6cd53cb37b42a5078cd7a3488f2209e88b135a94dd0684a6f8d24417f389070b67ecb74e801dd3ff3392cd1e956e8ad32120fca6cdb36c8a7a9e23ee8e06f2

    Download Submit
  • memory/544-72-0x0000000000000000-mapping.dmp
    Download
  • memory/544-85-0x0000000077970000-0x0000000077AF0000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/544-84-0x0000000077790000-0x0000000077939000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/544-83-0x0000000000300000-0x0000000000307000-memory.dmp
    Filesize

    28KB

    Download
  • memory/560-94-0x0000000077790000-0x0000000077939000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/560-81-0x0000000000403C6B-mapping.dmp
    Download
  • memory/560-95-0x0000000077970000-0x0000000077AF0000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/560-96-0x0000000000260000-0x0000000000267000-memory.dmp
    Filesize

    28KB

    Download
  • memory/560-87-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/560-88-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/960-56-0x0000000000270000-0x0000000000277000-memory.dmp
    Filesize

    28KB

    Download
  • memory/960-57-0x00000000757A1000-0x00000000757A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/960-61-0x0000000077970000-0x0000000077AF0000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/960-60-0x0000000077790000-0x0000000077939000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/960-59-0x0000000000270000-0x0000000000277000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1376-78-0x0000000077970000-0x0000000077AF0000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1376-63-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/1376-58-0x0000000000403C6B-mapping.dmp
    Download
  • memory/1376-64-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1376-76-0x0000000077790000-0x0000000077939000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1376-73-0x0000000000220000-0x0000000000227000-memory.dmp
    Filesize

    28KB

    Download