Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
08-04-2023 14:01
Behavioral task
behavioral1
Sample
3647BACE25F94430A534ABA8ABA08A731571AB2AB22F9.exe
Resource
win7-20230220-en
windows7-x64
2 signatures
150 seconds
General
-
Target
3647BACE25F94430A534ABA8ABA08A731571AB2AB22F9.exe
-
Size
132KB
-
MD5
58d02ed4bc010363facf162ac2976905
-
SHA1
0fdbd386a4cd8ac2edbd32a32a2fd5e8263bc38c
-
SHA256
3647bace25f94430a534aba8aba08a731571ab2ab22f95ac209096e2c32ef81c
-
SHA512
3287fee2405d95e03032339306253abb97d5c95b1da988f827192b4ca2c52615e271cf3f5ac58a3e3cb6a175b15d70300f86078f39145470391c0c9843daf673
-
SSDEEP
1536:dtTSUSKzF0Lh9a7WraTWFbmDHVXWRVAzZ8MfUSl7Q3rw75ggZG:dt5SKzF0Lh9a7IGW9GHeOFVvc3rKZG
Malware Config
Extracted
Family
netwire
C2
majika.gotdns.ch:1120
nik.pointto.us:1120
nikouh.pointto.us:1120
Attributes
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
naza
-
keylogger_dir
C:\Users\Admin\AppData\Roaming\Logs\
-
lock_executable
true
-
mutex
CVkJEjPx
-
offline_keylogger
true
-
password
vodka
-
registry_autorun
false
-
use_mutex
true
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1308-54-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/1308-56-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/1308-64-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/1308-66-0x0000000000400000-0x000000000042C000-memory.dmp netwire
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1308-54-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1308-56-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1308-64-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1308-66-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB