Malware Analysis Report

2025-01-18 16:52

Sample ID 230709-pme4madf8v
Target outputmalware.exe
SHA256 1f64ef3c5f7690033cf54608c3f4ba61a99c1494a2a2d5aa06f8b6634d8e305b
Tags
netwire botnet rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f64ef3c5f7690033cf54608c3f4ba61a99c1494a2a2d5aa06f8b6634d8e305b

Threat Level: Known bad

The file outputmalware.exe was found to be: Known bad.

Malicious Activity Summary

netwire botnet rat stealer

NetWire RAT payload

Netwire

Loads dropped DLL

Drops startup file

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-09 12:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-09 12:26

Reported

2023-07-09 12:29

Platform

win10v2004-20230703-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\outputmalware.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestLink.lnk C:\Users\Admin\AppData\Local\Temp\go-memexec-169167430.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\go-memexec-169167430.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\outputmalware.exe

"C:\Users\Admin\AppData\Local\Temp\outputmalware.exe"

C:\Users\Admin\AppData\Local\Temp\go-memexec-169167430.exe

C:\Users\Admin\AppData\Local\Temp\go-memexec-169167430.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:3360 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 126.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 needforrat.hopto.org udp
PK 182.180.49.15:3360 needforrat.hopto.org tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\go-memexec-169167430.exe

MD5 8d832a17a7134571f228bc0da586a541
SHA1 274f83a8874d16ff937d3e8c231bcf4916d18fe8
SHA256 36b9e2e48e5f7ab4543df7f80d299bb72e65c5f343d8bb1d8bff39764a829c8f
SHA512 0b5e00c88a35eb72b0f06d82fe3cd5a84c0520480f3d631ca42c7d3bc04bf33001f84943c6d4e9c8e1abb00414669a978de45b72b6bb8a002cc5c53d86d88bcb

C:\Users\Admin\AppData\Local\Temp\go-memexec-169167430.exe

MD5 8d832a17a7134571f228bc0da586a541
SHA1 274f83a8874d16ff937d3e8c231bcf4916d18fe8
SHA256 36b9e2e48e5f7ab4543df7f80d299bb72e65c5f343d8bb1d8bff39764a829c8f
SHA512 0b5e00c88a35eb72b0f06d82fe3cd5a84c0520480f3d631ca42c7d3bc04bf33001f84943c6d4e9c8e1abb00414669a978de45b72b6bb8a002cc5c53d86d88bcb

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-09 12:26

Reported

2023-07-09 12:29

Platform

win7-20230703-en

Max time kernel

78s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\outputmalware.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestLink.lnk C:\Users\Admin\AppData\Local\Temp\go-memexec-2909003178.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\go-memexec-2909003178.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\go-memexec-2909003178.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\outputmalware.exe

"C:\Users\Admin\AppData\Local\Temp\outputmalware.exe"

C:\Users\Admin\AppData\Local\Temp\go-memexec-2909003178.exe

C:\Users\Admin\AppData\Local\Temp\go-memexec-2909003178.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:3360 tcp
US 8.8.8.8:53 needforrat.hopto.org udp
PK 182.180.49.15:3360 needforrat.hopto.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\go-memexec-2909003178.exe

MD5 8d832a17a7134571f228bc0da586a541
SHA1 274f83a8874d16ff937d3e8c231bcf4916d18fe8
SHA256 36b9e2e48e5f7ab4543df7f80d299bb72e65c5f343d8bb1d8bff39764a829c8f
SHA512 0b5e00c88a35eb72b0f06d82fe3cd5a84c0520480f3d631ca42c7d3bc04bf33001f84943c6d4e9c8e1abb00414669a978de45b72b6bb8a002cc5c53d86d88bcb

C:\Users\Admin\AppData\Local\Temp\go-memexec-2909003178.exe

MD5 8d832a17a7134571f228bc0da586a541
SHA1 274f83a8874d16ff937d3e8c231bcf4916d18fe8
SHA256 36b9e2e48e5f7ab4543df7f80d299bb72e65c5f343d8bb1d8bff39764a829c8f
SHA512 0b5e00c88a35eb72b0f06d82fe3cd5a84c0520480f3d631ca42c7d3bc04bf33001f84943c6d4e9c8e1abb00414669a978de45b72b6bb8a002cc5c53d86d88bcb

\Users\Admin\AppData\Local\Temp\go-memexec-2909003178.exe

MD5 8d832a17a7134571f228bc0da586a541
SHA1 274f83a8874d16ff937d3e8c231bcf4916d18fe8
SHA256 36b9e2e48e5f7ab4543df7f80d299bb72e65c5f343d8bb1d8bff39764a829c8f
SHA512 0b5e00c88a35eb72b0f06d82fe3cd5a84c0520480f3d631ca42c7d3bc04bf33001f84943c6d4e9c8e1abb00414669a978de45b72b6bb8a002cc5c53d86d88bcb