Analysis
-
max time kernel
91s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
14-02-2023 22:00
Static task
static1
Behavioral task
behavioral1
Sample
FortiClientVPNOnlineInstaller.exe
Resource
win7-20220812-en
windows7-x64
2 signatures
150 seconds
General
-
Target
FortiClientVPNOnlineInstaller.exe
-
Size
5.7MB
-
MD5
0e46f2eb75a6a2c283100ca0f23541e7
-
SHA1
020a61041798d1a713626737c83750a2442c989f
-
SHA256
f631ef4ce81b9a0984d44a9468db2ae30cb37bdad67aaeb43f53d50039d8c5aa
-
SHA512
0ef241df8b18461689a619013bdd5bf280dd0d91ac61c6c9bdf145ef9db72f1cf0682628067bdf277a75b9ff0465d031adb0a5b9fba83caad856912ea5b577ef
-
SSDEEP
98304:RpYu1FgaNGYgBf03/aGXbEPI/RFYBzkvvjjz9GMd4RFTsMnIS/PKo7uJIxNulRP0:TgaNGYaISGL8k/79yPKo7pxNul0KW
Malware Config
Extracted
Family
netwire
C2
s2awscloudupdates.com:8081
Attributes
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-yYagi4
-
lock_executable
false
-
offline_keylogger
false
-
password
happy666
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5080-133-0x0000000002CE0000-0x0000000002D25000-memory.dmp netwire behavioral2/memory/5080-134-0x0000000002D30000-0x0000000002D7F000-memory.dmp netwire
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/5080-132-0x0000000000400000-0x00000000009B0000-memory.dmpFilesize
5.7MB
-
memory/5080-133-0x0000000002CE0000-0x0000000002D25000-memory.dmpFilesize
276KB
-
memory/5080-134-0x0000000002D30000-0x0000000002D7F000-memory.dmpFilesize
316KB
-
memory/5080-135-0x0000000000400000-0x00000000009B0000-memory.dmpFilesize
5.7MB