Overview

overview

10

Static

static

3

a5552237bf...d3.exe

windows7-x64

10

a5552237bf...d3.exe

windows10-2004-x64

7

ovxufjxjbx.exe

windows7-x64

3

ovxufjxjbx.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a5552237bf0ede9675b646aea11141c7763ed882fc8dbfe1b036f6347fe98ad3

  • Size

    495KB

  • Sample

    240226-1vskgahb53

  • MD5

    b48f191956b17605899eec0ae1ae255e

  • SHA1

    3596126e49ff1ca312b8a2c036976d6f44a5cdbf

  • SHA256

    a5552237bf0ede9675b646aea11141c7763ed882fc8dbfe1b036f6347fe98ad3

  • SHA512

    a686323d7d2c6ef0858f2b7cfc20de8d49a2dda723dfd8b50d84677d9a29dc3b52046c2e4b964445d594f6a358abe11a7e89e95a63e4e33f9e7fcba27c6f3cf8

  • SSDEEP

    6144:IGiZdPcmSA8PTFZ95of0ZcG6g/TQ6nLnxXx0ME/vG0o+srNodb0FA+/yYNqnTU:gdPcmSAQhZ95E0X9xhUm0+N12+/yYKU

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

194.147.140.14:4550

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    THANA

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    DrvbK8mdyY4F6Uh

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      a5552237bf0ede9675b646aea11141c7763ed882fc8dbfe1b036f6347fe98ad3

    • Size

      495KB

    • MD5

      b48f191956b17605899eec0ae1ae255e

    • SHA1

      3596126e49ff1ca312b8a2c036976d6f44a5cdbf

    • SHA256

      a5552237bf0ede9675b646aea11141c7763ed882fc8dbfe1b036f6347fe98ad3

    • SHA512

      a686323d7d2c6ef0858f2b7cfc20de8d49a2dda723dfd8b50d84677d9a29dc3b52046c2e4b964445d594f6a358abe11a7e89e95a63e4e33f9e7fcba27c6f3cf8

    • SSDEEP

      6144:IGiZdPcmSA8PTFZ95of0ZcG6g/TQ6nLnxXx0ME/vG0o+srNodb0FA+/yYNqnTU:gdPcmSAQhZ95E0X9xhUm0+N12+/yYKU

    Score
    10/10
    netwirebotnetpersistenceratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      ovxufjxjbx.exe

    • Size

      167KB

    • MD5

      b71cd76dee505d8c2e7da40d137a333c

    • SHA1

      29db72bb8d7b46d9f960d8e2b910b757692e2e42

    • SHA256

      3058527607e7cba0c4c1e5c5195b1db11898dae1fedd39c45255871da0c2a6ff

    • SHA512

      b041e5724fa55539e0eeaa56f5bb6f754ab307fe11a9f1aec394644cf3db8a51d5356b4e0c75feb217a4c7ff603ff319c6a5cffc1b1f70d735504ae5e1a25fc4

    • SSDEEP

      3072:/HcJkzXn7gvCaJJoEe47kmkR8tf8E3znr5pb:/fX8aMoEdKLS

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks