Malware Analysis Report

2025-01-18 16:51

Sample ID 230618-j83txsec76
Target 0x00080000000122ee-67.dat
SHA256 7231c7a76d9c4d0a307197522a2aec968f31865a4b2c4b962b64b01e9229315b
Tags
netwire botnet rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7231c7a76d9c4d0a307197522a2aec968f31865a4b2c4b962b64b01e9229315b

Threat Level: Known bad

The file 0x00080000000122ee-67.dat was found to be: Known bad.

Malicious Activity Summary

netwire botnet rat stealer

NetWire RAT payload

Netwire

Netwire family

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-06-18 08:21

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-18 08:21

Reported

2023-06-18 08:23

Platform

win10v2004-20230220-en

Max time kernel

141s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x00080000000122ee-67.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Processes

C:\Users\Admin\AppData\Local\Temp\0x00080000000122ee-67.exe

"C:\Users\Admin\AppData\Local\Temp\0x00080000000122ee-67.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 william1979.ddns.net udp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 196.237.105.184.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 20.189.173.9:443 tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 mathkros79.ddns.net udp
US 184.105.237.196:4416 mathkros79.ddns.net tcp

Files

memory/2112-135-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2112-137-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2112-139-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2112-141-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-18 08:21

Reported

2023-06-18 08:23

Platform

win7-20230220-en

Max time kernel

141s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x00080000000122ee-67.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Processes

C:\Users\Admin\AppData\Local\Temp\0x00080000000122ee-67.exe

"C:\Users\Admin\AppData\Local\Temp\0x00080000000122ee-67.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 william1979.ddns.net udp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp

Files

memory/1192-56-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1192-58-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1192-60-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1192-63-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1192-65-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1192-67-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1192-69-0x0000000000400000-0x0000000000420000-memory.dmp