Overview

overview

10

Static

static

e65a633748...a1.exe

windows7-x64

10

e65a633748...a1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e65a63374804040e16bbc0027f16f1863e292071f80883915e2521ea7d2c13a1

  • Size

    1.3MB

  • Sample

    230129-x9jdkacd7y

  • MD5

    961dddaec1b5d6c68d4f8513af5da04c

  • SHA1

    7ca4b9dbfdc0c2c443479648645b739434c484a8

  • SHA256

    e65a63374804040e16bbc0027f16f1863e292071f80883915e2521ea7d2c13a1

  • SHA512

    1a94af7539e3f8848b6d10f1597c065b8cc8b68c6ce607b224ec0114aac625118f361c8dcffa826ea9ce16cc64e66eb0c95aab1059315d57c477ad8af74929c1

  • SSDEEP

    24576:dVJn/G7I/BagGiOhE+cxWISFJ62I5yxZDNtRwhzliUQVI6rNYsYusC7:7J+qFOhE+WSLFKStRwhxiMKAuz7

Score
10/10
netwirebotnetevasionratstealer

Malware Config

Extracted

Family

netwire

C2

bots.xdecryptedx.life:4528

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    sTvcsXlx

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    true

Targets

    • Target

      e65a63374804040e16bbc0027f16f1863e292071f80883915e2521ea7d2c13a1

    • Size

      1.3MB

    • MD5

      961dddaec1b5d6c68d4f8513af5da04c

    • SHA1

      7ca4b9dbfdc0c2c443479648645b739434c484a8

    • SHA256

      e65a63374804040e16bbc0027f16f1863e292071f80883915e2521ea7d2c13a1

    • SHA512

      1a94af7539e3f8848b6d10f1597c065b8cc8b68c6ce607b224ec0114aac625118f361c8dcffa826ea9ce16cc64e66eb0c95aab1059315d57c477ad8af74929c1

    • SSDEEP

      24576:dVJn/G7I/BagGiOhE+cxWISFJ62I5yxZDNtRwhzliUQVI6rNYsYusC7:7J+qFOhE+WSLFKStRwhxiMKAuz7

    Score
    10/10
    netwirebotnetevasionratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks