Overview

overview

10

Static

static

SecuriteIn...42.exe

windows7-x64

1

SecuriteIn...42.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SecuriteInfo.com.Win32.PWSX-gen.29983.31442.exe

  • Size

    865KB

  • Sample

    230117-g8wz9sbd85

  • MD5

    ec14ff4210d167270b7eccc453bc96ee

  • SHA1

    2a30b6cc2f580724fa751a74f452c775f24e4ec2

  • SHA256

    f0c72caa378310037f0d9cdc0d3eb14255f242b273a030a91b3f1540876865ab

  • SHA512

    3affa8deb6141e79fe33078b709eaf8d9db8c788c41c195cdd72011d56e79db794e023848024975e6fe74fb80f80c97c3cc542ab51944f5476b25861ba66496d

  • SSDEEP

    12288:ULNOyo2VJG09KuNPXlguxjtU5pmcT31LoGFvxy/x/mGZgBGYotcRcX6P7G+ZwlT1:JSzy0itEHctyG0IhG

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:3363

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password@2

  • registry_autorun

    true

  • startup_name

    NetWire

  • use_mutex

    false

Targets

    • Target

      SecuriteInfo.com.Win32.PWSX-gen.29983.31442.exe

    • Size

      865KB

    • MD5

      ec14ff4210d167270b7eccc453bc96ee

    • SHA1

      2a30b6cc2f580724fa751a74f452c775f24e4ec2

    • SHA256

      f0c72caa378310037f0d9cdc0d3eb14255f242b273a030a91b3f1540876865ab

    • SHA512

      3affa8deb6141e79fe33078b709eaf8d9db8c788c41c195cdd72011d56e79db794e023848024975e6fe74fb80f80c97c3cc542ab51944f5476b25861ba66496d

    • SSDEEP

      12288:ULNOyo2VJG09KuNPXlguxjtU5pmcT31LoGFvxy/x/mGZgBGYotcRcX6P7G+ZwlT1:JSzy0itEHctyG0IhG

    Score
    10/10
    netwirebotnetpersistenceratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks