Malware Analysis Report

2025-01-18 16:51

Sample ID 230724-wqkxlsgc25
Target 12f0eed74bedd614dafa175f7bd5b66ca6f3cf504ebfe4daa19283ea9b8f13ac.bin
SHA256 12f0eed74bedd614dafa175f7bd5b66ca6f3cf504ebfe4daa19283ea9b8f13ac
Tags
rat netwire botnet stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

12f0eed74bedd614dafa175f7bd5b66ca6f3cf504ebfe4daa19283ea9b8f13ac

Threat Level: Known bad

The file 12f0eed74bedd614dafa175f7bd5b66ca6f3cf504ebfe4daa19283ea9b8f13ac.bin was found to be: Known bad.

Malicious Activity Summary

rat netwire botnet stealer

NetWire RAT payload

Netwire family

Netwire

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-24 18:07

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-24 18:07

Reported

2023-07-24 18:10

Platform

win7-20230712-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12f0eed74bedd614dafa175f7bd5b66ca6f3cf504ebfe4daa19283ea9b8f13ac.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Install\Host.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\12f0eed74bedd614dafa175f7bd5b66ca6f3cf504ebfe4daa19283ea9b8f13ac.exe

"C:\Users\Admin\AppData\Local\Temp\12f0eed74bedd614dafa175f7bd5b66ca6f3cf504ebfe4daa19283ea9b8f13ac.exe"

C:\Users\Admin\AppData\Roaming\Install\Host.exe

"C:\Users\Admin\AppData\Roaming\Install\Host.exe"

Network

Country Destination Domain Proto
NL 212.193.30.230:6826 tcp
NL 212.193.30.230:6826 tcp

Files

\Users\Admin\AppData\Roaming\Install\Host.exe

MD5 3083bdae6d2f32e05dc1aad22caaeba2
SHA1 d96346133d23d26ed8197e64c3b2ab2691d66b47
SHA256 12f0eed74bedd614dafa175f7bd5b66ca6f3cf504ebfe4daa19283ea9b8f13ac
SHA512 81c7406b8a2b789250808f99b74b8d107c155757de8cd332a97cf15b4bd63c9701104b1ea3ed4aae51aea7eed2f96799288897b6fa6dfbafd00ae180fc115c27

C:\Users\Admin\AppData\Roaming\Install\Host.exe

MD5 3083bdae6d2f32e05dc1aad22caaeba2
SHA1 d96346133d23d26ed8197e64c3b2ab2691d66b47
SHA256 12f0eed74bedd614dafa175f7bd5b66ca6f3cf504ebfe4daa19283ea9b8f13ac
SHA512 81c7406b8a2b789250808f99b74b8d107c155757de8cd332a97cf15b4bd63c9701104b1ea3ed4aae51aea7eed2f96799288897b6fa6dfbafd00ae180fc115c27

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-24 18:07

Reported

2023-07-24 18:10

Platform

win10v2004-20230703-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12f0eed74bedd614dafa175f7bd5b66ca6f3cf504ebfe4daa19283ea9b8f13ac.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\12f0eed74bedd614dafa175f7bd5b66ca6f3cf504ebfe4daa19283ea9b8f13ac.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Install\Host.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\12f0eed74bedd614dafa175f7bd5b66ca6f3cf504ebfe4daa19283ea9b8f13ac.exe

"C:\Users\Admin\AppData\Local\Temp\12f0eed74bedd614dafa175f7bd5b66ca6f3cf504ebfe4daa19283ea9b8f13ac.exe"

C:\Users\Admin\AppData\Roaming\Install\Host.exe

"C:\Users\Admin\AppData\Roaming\Install\Host.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
NL 212.193.30.230:6826 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 212.193.30.230:6826 tcp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Install\Host.exe

MD5 3083bdae6d2f32e05dc1aad22caaeba2
SHA1 d96346133d23d26ed8197e64c3b2ab2691d66b47
SHA256 12f0eed74bedd614dafa175f7bd5b66ca6f3cf504ebfe4daa19283ea9b8f13ac
SHA512 81c7406b8a2b789250808f99b74b8d107c155757de8cd332a97cf15b4bd63c9701104b1ea3ed4aae51aea7eed2f96799288897b6fa6dfbafd00ae180fc115c27

C:\Users\Admin\AppData\Roaming\Install\Host.exe

MD5 3083bdae6d2f32e05dc1aad22caaeba2
SHA1 d96346133d23d26ed8197e64c3b2ab2691d66b47
SHA256 12f0eed74bedd614dafa175f7bd5b66ca6f3cf504ebfe4daa19283ea9b8f13ac
SHA512 81c7406b8a2b789250808f99b74b8d107c155757de8cd332a97cf15b4bd63c9701104b1ea3ed4aae51aea7eed2f96799288897b6fa6dfbafd00ae180fc115c27

C:\Users\Admin\AppData\Roaming\Install\Host.exe

MD5 3083bdae6d2f32e05dc1aad22caaeba2
SHA1 d96346133d23d26ed8197e64c3b2ab2691d66b47
SHA256 12f0eed74bedd614dafa175f7bd5b66ca6f3cf504ebfe4daa19283ea9b8f13ac
SHA512 81c7406b8a2b789250808f99b74b8d107c155757de8cd332a97cf15b4bd63c9701104b1ea3ed4aae51aea7eed2f96799288897b6fa6dfbafd00ae180fc115c27