Overview

overview

10

Static

static

7

7bc0c3b8de...81.exe

windows7-x64

10

7bc0c3b8de...81.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28/01/2024, 01:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7bc0c3b8dedcdaf2469d023b237ca681.exe

  • Size

    584KB

  • MD5

    7bc0c3b8dedcdaf2469d023b237ca681

  • SHA1

    4620c1ab949f42762f3578f67d656d8761899358

  • SHA256

    8280ae0f658012a4fad6f3d1371818e8667488ea20af33549746e291d103c841

  • SHA512

    7844f1ba24b0528eaf500bc104035f60acd9e0b9e8b79a8862f308fe6b978e887d4917d626fccf1ea2503555a59b5428c1bf98d8d4ffdfde838ebcc75ca4c875

  • SSDEEP

    12288:+Xe9PPlowWX0t6mOQwg1Qd15CcYk0We1wPOs+pTF4/rAM7skeZPqJMv:ThloDX0XOf4hDTqkM70PqCv

Score
10/10
netwirebotnetratstealerupx

Malware Config

Extracted

Family

netwire

C2

godisgood247.duckdns.org:5493

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 1 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7bc0c3b8dedcdaf2469d023b237ca681.exe
    "C:\Users\Admin\AppData\Local\Temp\7bc0c3b8dedcdaf2469d023b237ca681.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Users\Admin\AppData\Local\Temp\7bc0c3b8dedcdaf2469d023b237ca681.exe
      "C:\Users\Admin\AppData\Local\Temp\7bc0c3b8dedcdaf2469d023b237ca681.exe"
      2⤵
        PID:2768

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\xexoyaapmzvp
      Filesize

      216KB

      MD5

      fb27e710a2e53f2fecc04dfcfeffe007

      SHA1

      bf8df0993c42c4770049a43438ca77b9b0df977e

      SHA256

      bacf5ae6e13dcebbc6e00e6289ca08f73e419f8bcd1fb46175379db802408e7a

      SHA512

      af80be0d8b8f9dbe0f8ecd38505e8e44f8eba949abf872b8b438260e560cabf04a2e9b48017ae5a744df7c5f3efc6b4ce3a567f9a96dab6ebea994a943e6388e

      Download Submit

    • memory/2240-0-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2240-8-0x0000000000A00000-0x0000000000A02000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2240-7-0x0000000000970000-0x0000000000971000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2240-9-0x0000000003230000-0x0000000003384000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2240-11-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2768-10-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download