Overview

overview

10

Static

static

1

rFuDj.cmd

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    rFuDj.7z

  • Size

    254KB

  • Sample

    230301-gyxttaee3w

  • MD5

    1634de6cfbca39797953d519d68b265b

  • SHA1

    678a691f192464170264576365298b16fde02b71

  • SHA256

    991eecd487e1e8c192f651f100ce6790f87942a403550ad4469cfb90e1f8d2dc

  • SHA512

    d990ea65078f70b351fa9df570509a8e425ae53853a98b3189ffdaaf251837a8a2b2f6994bfa52118bb0ee138a79fed70478ef2d26da67df7151313c0d70c61e

  • SSDEEP

    6144:tU0rioNeQMrbe8p/D0+UGjNLaWqA3K8+FVXznIUjAmxrh9f:O0GVrLpL0yFaRA3K8sV7jz1f

Score
10/10
netwirebotnetpersistencestealer

Malware Config

Extracted

Family

netwire

C2

184.75.221.211:5614

213.152.162.5:5614

194.36.111.59:5614

62.102.148.156:5614

217.151.98.163:5614
Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • mutex

    QuFDTHWH

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      rFuDj.cmd

    • Size

      332KB

    • MD5

      02a8d87db6d29b1baab0f1b9e71834d7

    • SHA1

      934f99d43f6b983f57156c4dd56bba26fd4065bd

    • SHA256

      8a59fe8ca31ce4abde54d02705f65ed0d788e384e0d5c05441971f4d1fef5b34

    • SHA512

      8ff8e13ac50f95d1a19174093f1337aaa54a4199872bfa96dc45545a79600be71694cb72ee9e59c064b8c851f2e1f7856ff2f3c96fc5d073adb4ef06a97fb99f

    • SSDEEP

      6144:6917wECPZ87yAlTLuGNaqzD1zV3ITby8EP7S7PNbecS3kKbwREdxsSi7yqr+QyQ:691Wx8uc2WtI4P+7P0EK+uA

    Score
    10/10
    netwirebotnetpersistencestealer

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks