Overview

overview

10

Static

static

10

2be4c174d3...95.exe

windows7-x64

10

2be4c174d3...95.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 16:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2be4c174d3341bb0a4b3bbb5acfc7c95.exe

  • Size

    127KB

  • MD5

    2be4c174d3341bb0a4b3bbb5acfc7c95

  • SHA1

    af6f5515d85541cab65156b300f273e26e3d4bd4

  • SHA256

    d3005d77397626a03d0f7ab00c89559eb0056f252311fce41cea165fbbe609f8

  • SHA512

    8bbae500f6c99a0d8dbb283c36f0d1fe2d41c12e4c0d9ed8df518dd2511bfe3a90ca4fba7328860158a4ce81c3599c243632374bb6eef221795fb9154949e04b

  • SSDEEP

    3072:aq3E2BfBSbEsz7nCAFVNNvBGvdO5gPaEjep8Fe7Z1iO7ZbvbZV7S:XRBfBSosz7nCA3NHCdXaEj7Fe7Z1iOFe

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

automan.duckdns.org:3382

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    HDPAYslj

  • offline_keylogger

    true

  • password

    onelove82

  • registry_autorun

    true

  • startup_name

    NetWire

  • use_mutex

    true

Signatures

  • NetWire RAT payload 18 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2be4c174d3341bb0a4b3bbb5acfc7c95.exe
    "C:\Users\Admin\AppData\Local\Temp\2be4c174d3341bb0a4b3bbb5acfc7c95.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4296
    • C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:2324

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    51KB

    MD5

    ba4275186ecba504fd87030381bf8bdb

    SHA1

    b74f55ae0b8ff1d130f45ee4435f0f43c7491ff5

    SHA256

    4a22eb6ba06115f7d5bc92ddebd7f372697743fc01d2c24e51cdf9ec17a8071e

    SHA512

    7998c75526342e39e2756e3fbeed3863fc5d7d08ddbec543e257a8c9e3dc6ddf06d710b789b782288457c26add5ebcca127ef1811d28ff701f2ea9198ff341b6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    91KB

    MD5

    e00dbb76b2705b93adf5d8f9bcb9d88f

    SHA1

    e8b5c03742ceca806439e427cfce336c1af9342b

    SHA256

    faf2dadc0b17f94297af11af7b293ae448ed7dc874b67c7359f92649403983ce

    SHA512

    7badfe62496b80783efd99e26dffabbc8e9b9d57e3476ae2f42e3b38508d05346a5de7a9ca35370c2b4d39fadffd9d8aab0f276bc923f56d5e11e21d777b7cd7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    96KB

    MD5

    f1d66c3cb609cdd38b673815419f182c

    SHA1

    eff4a396a738b06f0b0f89173b1968d3bfc27929

    SHA256

    134217cc2a1b57925e7cf2e5f4f45088b2ef9e3642ca60beb770b66a184ebabe

    SHA512

    28bfd37a1f1ce2b07845084046d63d4d55390df7965a3efad8c5b2e1229aac346ee9157311810885d9483519ac773e150d3947d6fe8faa5024a2fb70e83e2b19

    Download Submit

  • memory/2324-13-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2324-15-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2324-10-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2324-11-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2324-12-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2324-22-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2324-14-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2324-9-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2324-16-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2324-17-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2324-18-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2324-19-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2324-20-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2324-21-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4296-8-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download