Overview

overview

10

Static

static

outputmalware.exe

windows7-x64

10

outputmalware.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-01-2023 19:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    outputmalware.exe

  • Size

    2.9MB

  • MD5

    2b5eca0c8dcfd123b1790a137feb4146

  • SHA1

    57ba47e17ab6de85a6cefa26b3b80a0efa72d4e5

  • SHA256

    1f64ef3c5f7690033cf54608c3f4ba61a99c1494a2a2d5aa06f8b6634d8e305b

  • SHA512

    94058f6b34f3820130571aec3f82fc89a3ba4198b65fe80e705f82ee7187ac2027ffe054ddabf945c7fff4db36224c74c95e1756ed755de7ea13dfb142c40a94

  • SSDEEP

    49152:Qmd9Cf3Vvwxrb/T2vO90d7HjmAFd4A64nsfJdVfZgXKRQHfDTJz1jStov0hlZ0Az:+3qH8qo8V0A

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

127.0.0.1:3360

needforrat.hopto.org:3360
Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    TestLink.lnk

  • lock_executable

    false

  • mutex

    JjkhHVmd

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 2 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\outputmalware.exe
    "C:\Users\Admin\AppData\Local\Temp\outputmalware.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4644
    • C:\Users\Admin\AppData\Local\Temp\go-memexec-1071441352.exe
      C:\Users\Admin\AppData\Local\Temp\go-memexec-1071441352.exe
      2⤵
      • Executes dropped EXE
      • Drops startup file
      PID:3352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\go-memexec-1071441352.exe
    Filesize

    273KB

    MD5

    8d832a17a7134571f228bc0da586a541

    SHA1

    274f83a8874d16ff937d3e8c231bcf4916d18fe8

    SHA256

    36b9e2e48e5f7ab4543df7f80d299bb72e65c5f343d8bb1d8bff39764a829c8f

    SHA512

    0b5e00c88a35eb72b0f06d82fe3cd5a84c0520480f3d631ca42c7d3bc04bf33001f84943c6d4e9c8e1abb00414669a978de45b72b6bb8a002cc5c53d86d88bcb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\go-memexec-1071441352.exe
    Filesize

    273KB

    MD5

    8d832a17a7134571f228bc0da586a541

    SHA1

    274f83a8874d16ff937d3e8c231bcf4916d18fe8

    SHA256

    36b9e2e48e5f7ab4543df7f80d299bb72e65c5f343d8bb1d8bff39764a829c8f

    SHA512

    0b5e00c88a35eb72b0f06d82fe3cd5a84c0520480f3d631ca42c7d3bc04bf33001f84943c6d4e9c8e1abb00414669a978de45b72b6bb8a002cc5c53d86d88bcb

    Download Submit
  • memory/3352-132-0x0000000000000000-mapping.dmp
    Download