Overview

overview

10

Static

static

10

RAT/Adwind.jar

windows7-x64

1

RAT/Adwind.jar

windows10-2004-x64

10

RAT/Blackkomet.exe

windows7-x64

10

RAT/Blackkomet.exe

windows10-2004-x64

10

RAT/CobaltStrike.docm

windows7-x64

10

RAT/CobaltStrike.docm

windows10-2004-x64

10

RAT/CrimsonRAT.exe

windows7-x64

10

RAT/CrimsonRAT.exe

windows10-2004-x64

10

RAT/NJRat.exe

windows7-x64

10

RAT/NJRat.exe

windows10-2004-x64

10

RAT/NetWire.doc

windows7-x64

10

RAT/NetWire.doc

windows10-2004-x64

7

RAT/NetWire.exe

windows7-x64

10

RAT/NetWire.exe

windows10-2004-x64

10

RAT/Remcos.exe

windows7-x64

10

RAT/Remcos.exe

windows10-2004-x64

10

RAT/RevengeRAT.exe

windows7-x64

10

RAT/RevengeRAT.exe

windows10-2004-x64

10

RAT/VanToM-Rat.exe

windows7-x64

7

RAT/VanToM-Rat.exe

windows10-2004-x64

7

RAT/WarzoneRAT.exe

windows7-x64

10

RAT/WarzoneRAT.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-03-2024 01:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RAT/NetWire.exe

  • Size

    1.2MB

  • MD5

    7621f79a7f66c25ad6c636d5248abeb9

  • SHA1

    98304e41f82c3aee82213a286abdee9abf79bcce

  • SHA256

    086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d

  • SHA512

    59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd

  • SSDEEP

    24576:nBlDgE7EmXWAqSvg439vGSVNe1/hqIiHSvd7:n7DlC+GSjiBiyF

Score
10/10
modiloadernetwirebotnetpersistenceratstealertrojan

Malware Config

Extracted

Family

modiloader

C2

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Extracted

Family

netwire

C2

tamerimia.ug:6975

vbchjfssdfcxbcver.ru:6975
Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    AAAAA

  • lock_executable

    false

  • mutex

    CQbRXVuG

  • offline_keylogger

    false

  • password

    jhbkdcfgvdfgknl

  • registry_autorun

    false

  • use_mutex

    true

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • NetWire RAT payload 2 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • ModiLoader First Stage 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 3 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RAT\NetWire.exe
    "C:\Users\Admin\AppData\Local\Temp\RAT\NetWire.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Users\Admin\AppData\Local\Temp\RAT\NetWire.exe
      "C:\Users\Admin\AppData\Local\Temp\RAT\NetWire.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      PID:2744
      • C:\Windows\SysWOW64\Notepad.exe
        C:\Windows\System32\Notepad.exe
        3⤵
          PID:3324
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Public\Natso.bat" "
            4⤵
              PID:3716
              • C:\Windows\SysWOW64\reg.exe
                reg delete hkcu\Environment /v windir /f
                5⤵
                • Modifies registry key
                PID:3712
              • C:\Windows\SysWOW64\reg.exe
                reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
                5⤵
                • Modifies registry key
                PID:3776
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
                5⤵
                  PID:3800
                • C:\Windows\SysWOW64\reg.exe
                  reg delete hkcu\Environment /v windir /f
                  5⤵
                  • Modifies registry key
                  PID:4032
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Public\Runex.bat" "
                4⤵
                  PID:2716
                  • C:\Windows \System32\fodhelper.exe
                    "C:\Windows \System32\fodhelper.exe"
                    5⤵
                    • Executes dropped EXE
                    PID:1828
                  • C:\Windows \System32\fodhelper.exe
                    "C:\Windows \System32\fodhelper.exe"
                    5⤵
                    • Executes dropped EXE
                    PID:1480
              • C:\Program Files (x86)\internet explorer\ieinstal.exe
                "C:\Program Files (x86)\internet explorer\ieinstal.exe"
                3⤵
                  PID:3784

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Public\Natso.bat
              Filesize

              283B

              MD5

              5cc1682955fd9f5800a8f1530c9a4334

              SHA1

              e09b6a4d729f2f4760ee42520ec30c3192c85548

              SHA256

              5562cc607d2f698327efacc4a21bd079bb14a99b03e7a01b3c67f8440e341cb3

              SHA512

              80767263aad44c739236161d4338d5dd8b0b58613f22cd173c3e88ebf143220ee56bbf93ace69a07d3c2f00daff0adbaa8461a1d53d12699725395c931c43cb6

              Download Submit

            • C:\Users\Public\Runex.bat
              Filesize

              226B

              MD5

              f6828e22e6abe87c624e4683fac5889b

              SHA1

              b93d63354d4ddb226dab90955576a6d2cad05ba0

              SHA256

              e1b1884353a51436f90dfed9f85ed9dd98fccfbd13dee7aa54fd901f77fe5e9c

              SHA512

              26afb36afcb3f286b85ebd72061e26f84c33075d3d0767cc93f50ec414a85838c86049e0c56ff43011d1a309b98ae355cbe412203429ac243010dc971ac81ec1

              Download Submit

            • C:\Users\Public\fodhelper.exe
              Filesize

              46KB

              MD5

              7215c73ec1aae35b9e4b1f22c811f85c

              SHA1

              98551f5184691b65dceba531c4e4975d77cd25a5

              SHA256

              7e80da8d839dcf05e30317256460ed7a4ee25cab2750d768569aaab35e1e8c64

              SHA512

              b68eed48dbd32e485fd56b952e3e642f25f1eefe26ea533b13857e225272ee9668c39552284a438175a323d1685a80d9f878ef0637b5d928bb1e1ed1ac505d61

              Download Submit

            • C:\Users\Public\propsys.dll
              Filesize

              108KB

              MD5

              487766bf2f0add388cb123d1ef7ece46

              SHA1

              766564c04d9e8a6745baa2ad28da5d68ad1d79bf

              SHA256

              fa5d5f9bd3a3aece8941e52a00d05db8910d3332f4f276bc03663c7944ae11cb

              SHA512

              3b5c285c4eb749c5e34405b38e146e9fc3fe28c535ee12c4e0f075e167768f37b588e50c2dbd43a27b67b11e7483ad51fcd6b6e7638059dd40bc303c664a8a7e

              Download Submit

            • memory/2208-0-0x00000000003C0000-0x00000000003C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2716-5425-0x00000000022A0000-0x00000000022A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2744-8-0x00000000001E0000-0x00000000001E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2744-4258-0x0000000010410000-0x000000001047E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/2744-4215-0x0000000010410000-0x000000001047E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/2744-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2744-17-0x0000000000360000-0x0000000000361000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3324-4260-0x00000000001C0000-0x00000000001C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3324-5357-0x0000000010480000-0x00000000104C4000-memory.dmp

              Filesize

              272KB

              Download

            • memory/3324-4294-0x00000000002E0000-0x00000000002E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3324-4230-0x00000000000C0000-0x00000000000C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3324-4227-0x0000000000080000-0x0000000000081000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3324-5431-0x0000000010480000-0x00000000104C4000-memory.dmp

              Filesize

              272KB

              Download

            • memory/3324-5440-0x0000000010480000-0x00000000104C4000-memory.dmp

              Filesize

              272KB

              Download

            • memory/3784-5386-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/3784-5435-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download