Overview

overview

10

Static

static

INV-9004346.exe

windows7-x64

10

INV-9004346.exe

windows10-2004-x64

10

Resubmissions

20-12-2022 15:12

221220-slggvadc7s 1

19-12-2022 04:16

221219-ev4rvaeb95 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    INV-9004346.exe

  • Size

    22KB

  • Sample

    221219-ev4rvaeb95

  • MD5

    f78fe63bb226cb00b24abe4062540c7e

  • SHA1

    6046e196a18741e553e0740ae1763ef09d09cc73

  • SHA256

    1e71db7db4c1e84c646c8abc4952f6dd56b5e2a080284c13cf56eaf7a841bda3

  • SHA512

    33bbdc20088250144428af74e7c5b3afaf650073ef19bd5fe3f1ca3d903c1467fd347dd32e7fb5402e2be5e04cf4bbef2badaa567dc3d70ac16668cfab872c2b

  • SSDEEP

    384:kEYZXiPLEckJBJfP7sqJBi9/utD4Y+rqzIGpygSubqfYtZWHHuxH:kEYZXWSP7sqJk9/utD4Y+OzHpy3WquZv

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

5.230.73.39:3637

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    Toolx

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      INV-9004346.exe

    • Size

      22KB

    • MD5

      f78fe63bb226cb00b24abe4062540c7e

    • SHA1

      6046e196a18741e553e0740ae1763ef09d09cc73

    • SHA256

      1e71db7db4c1e84c646c8abc4952f6dd56b5e2a080284c13cf56eaf7a841bda3

    • SHA512

      33bbdc20088250144428af74e7c5b3afaf650073ef19bd5fe3f1ca3d903c1467fd347dd32e7fb5402e2be5e04cf4bbef2badaa567dc3d70ac16668cfab872c2b

    • SSDEEP

      384:kEYZXiPLEckJBJfP7sqJBi9/utD4Y+rqzIGpygSubqfYtZWHHuxH:kEYZXWSP7sqJk9/utD4Y+OzHpy3WquZv

    Score
    10/10
    netwirebotnetpersistenceratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks