Overview

overview

10

Static

static

3

4eb5b6684c...b8.exe

windows7-x64

10

4eb5b6684c...b8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    0s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/01/2024, 15:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4eb5b6684c39595331f022a4265b8fb8.exe

  • Size

    1.3MB

  • MD5

    4eb5b6684c39595331f022a4265b8fb8

  • SHA1

    5e90672889ecc1dd530d140ddb956f54c5be0f4b

  • SHA256

    1006ff92e3892ac95548a7fc0764deeaa0078ff153dcd6053d889cf9aad19f4b

  • SHA512

    96b9a874467b2bfe8d870c394c05793e69c1b63661558c0187b7cd8febab136c4fad191c3363299dad74da5806e5061ef8a6b83a93cd78c79f13e0b6d82871bf

  • SSDEEP

    24576:lTevS/yMaon/yHrtV0VXDFGjwLS9NFJ/AWid8F/2f7FNRr:IogwLS9NFJ4Wi2F/2f7FN1

Score
10/10
netwirebotnetratstealerupx

Malware Config

Extracted

Family

netwire

C2

love82.duckdns.org:3382

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    OqvAvPni

  • offline_keylogger

    true

  • password

    onelove82

  • registry_autorun

    true

  • startup_name

    NetWire

  • use_mutex

    true

Signatures

  • NetWire RAT payload 14 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 1 IoCs
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4eb5b6684c39595331f022a4265b8fb8.exe
    "C:\Users\Admin\AppData\Local\Temp\4eb5b6684c39595331f022a4265b8fb8.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4844
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c test.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3672
      • C:\Users\Admin\AppData\Local\Temp\test.exe
        test.exe
        3⤵
        • Executes dropped EXE
        PID:1180
        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
          4⤵
            PID:4116

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\test.exe
      Filesize

      61KB

      MD5

      88d037ca19da4816d60b2e70758cdca4

      SHA1

      c8790ff519881d6aeab25e3ae2d97c57aacb2151

      SHA256

      d7ac965eadd9940fd4c9d63a7e16305b0286ac4b16034da0d5e1ecd9721e0b38

      SHA512

      bd92464032835ad9313fff2399bf59e6d408ab75982c6c47913f93320334c21dbf6a890f69fa2f3b3c5654f5feaa9816dbff94665fa6f0ec9794ed4bf65add88

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\test.exe
      Filesize

      110KB

      MD5

      7ff1dd1d09b8fe4bd99c95f7ab8b4bca

      SHA1

      30153c0338bb30f9e5f11b2053348ba1aefec214

      SHA256

      a087997a3a5311c8648b0051f40ccea7feca2aafdbbed064767d675d6cf9f9e3

      SHA512

      850ef6b1fc89161975c66c44b735dd2f08d5364da049e226d4efed5c39cb9a99315a748ed5460c99766273bc0420f5a0ecef19d7e68e4b25065f4572dfaafe95

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Install\Host.exe
      Filesize

      89KB

      MD5

      821b1ef5c6f05256e1fd90721c4fc748

      SHA1

      938e8d11e646379eb20421b02f356c5d39fbb495

      SHA256

      2576a7b387547a2aeb9c0b94800a780eb0dcfeefb79be2be0e7b1335eae66381

      SHA512

      9f175c9f0c9ca63e013e16aaef7f75340a497a9ee0d500996563c127f8ada667fee2ca71faf0ca2f4ad64cc0b247f0addaae30aa4444ead155c12f2713bf1154

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Install\Host.exe
      Filesize

      85KB

      MD5

      7723a0eca1a01157ea68236336e7df70

      SHA1

      334d6125e20fa20ab6aa5e3249a61c4ea86ad578

      SHA256

      7cee3cc213486b32ab6fb1d54b06b30309b173b745a886f21f5b6f05f4c4ec5a

      SHA512

      3ee6a53c98b53e11c4df82ba2131cb76df497db2122164d867523cadff465cc9a45572b9cf7caa9fe333fef8aca7b498a73cc6a71c29e83ce53665a5deeed175

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Install\Host.exe
      Filesize

      111KB

      MD5

      988716f1ec54b3af4739240cc0435069

      SHA1

      34cd783da5e24f000479f175d8fb8b43ef5b1e5d

      SHA256

      d978c2afd0eac60dc8ea3421ef4745d793ae9369f05bf4f0b04e03c88d3b9723

      SHA512

      9140000b10473f33b30195d72bdc57236d74221e59caf344c714624a6ad4bb7bc9c4ef13c31a77559fea878d10b9a107e693cc88cf320d714e8ac033d432ca3d

      Download Submit

    • memory/1180-4-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1180-12-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4116-22-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4116-21-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4116-16-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4116-17-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4116-18-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4116-19-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4116-20-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4116-14-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4116-29-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4116-24-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4116-25-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4116-26-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4116-27-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4116-28-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4844-15-0x0000000000400000-0x000000000054D000-memory.dmp

      Filesize

      1.3MB

      Download