Overview

overview

10

Static

static

7

3a063843b8...ca.exe

windows7-x64

10

3a063843b8...ca.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    0s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 14:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a063843b86882f4adc81ec1cdfb7bca.exe

  • Size

    594KB

  • MD5

    3a063843b86882f4adc81ec1cdfb7bca

  • SHA1

    cbeb7aed619982f754d79ad2fe44cd20280a0638

  • SHA256

    cfc906e180861810f8d8a4b578116054ef6f84ab725196124af6450629c2c05a

  • SHA512

    fc9ebfb8e183a0bad00f6bc28e999c69929eb545d5a7fd2b1803076137c3ffb89888dc8a4aca113182e35106b7d3f6fd6483cf8ae7752f3d5a2732329a8c045b

  • SSDEEP

    12288:OJz0TrCqVM8UoAs4fg4xbFs9lLaAgev1pS4aCkFdqri9VWQMkbx/yMFqNfuN:mirCkUo8fLBqmze9pS4a7qu9VdMkbIMZ

Score
10/10
netwirebotnetratstealerupx

Malware Config

Extracted

Family

netwire

C2

automan.duckdns.org:3382

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    HDPAYslj

  • offline_keylogger

    true

  • password

    onelove82

  • registry_autorun

    true

  • startup_name

    NetWire

  • use_mutex

    true

Signatures

  • NetWire RAT payload 13 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c test.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Users\Admin\AppData\Local\Temp\test.exe
      test.exe
      2⤵
      • Executes dropped EXE
      PID:3748
      • C:\Users\Admin\AppData\Roaming\Install\Host.exe
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        3⤵
          PID:3576
    • C:\Users\Admin\AppData\Local\Temp\3a063843b86882f4adc81ec1cdfb7bca.exe
      "C:\Users\Admin\AppData\Local\Temp\3a063843b86882f4adc81ec1cdfb7bca.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3704

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\test.exe
      Filesize

      92KB

      MD5

      47c2114482c3bd72b7b44da9387235f6

      SHA1

      b8a32b2f8c6102ffa32280c3276a89ff797ad964

      SHA256

      bbc84676f0d5dd49ddccbf60afd38ece5a51d2827e3afce988312789f8934ca0

      SHA512

      f4e12490e39b4f4eb9931bd378af5abc4f385620038cc4dd308e1d769bc4ee5660eb28cb5eacae5f0caa12862636bd9a60bd99457767b8a164c130f20f236bfb

      Download Submit

    • memory/3576-19-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3576-21-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3576-28-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3576-15-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3576-16-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3576-17-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3576-18-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3576-27-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3576-26-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3576-22-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3576-20-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3576-23-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3576-24-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3576-25-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3704-14-0x0000000000400000-0x000000000055C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3704-0-0x0000000000400000-0x000000000055C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3748-13-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download