Overview

overview

10

Static

static

3

d8d4a25dd4...9b.exe

windows7-x64

10

d8d4a25dd4...9b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d8d4a25dd484e96413ff9530e93621af5c53e96cf2b0435968f5fc72dad85d9b.zip

  • Size

    219KB

  • Sample

    240402-q6r3zacb81

  • MD5

    d6491bd913bf9ee36fb5d840c09b32d9

  • SHA1

    9836b690a855295b21380c4e3c45fd07509fff1e

  • SHA256

    ea28962af1af27a7300b82d8d63da8586bcc175fbf4502b769eefcfa5c258ac7

  • SHA512

    8623ff76842a5ced31c8800546259c2e57f24f05e0656f37ae9643b3aeddc3156a4a66a0c87345f027258822f0d420b9b66388198750bd9c0d30ff208934e9ca

  • SSDEEP

    3072:vyQq9aAz8MufkJ2r0VwsljJJBQ0584qI3IQodEjViwI5Y8iurXQsa3AIWmxs+L5y:apayvAEQ8KX4s3mRIu8hQ33AIWMKWVE

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

forgiveme.workisboring.com:3360

Attributes
  • activex_autorun

    true

  • activex_key

    {TN38RH36-U670-03U7-57DE-24XMTWQBHGH1}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    bendal

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    true

  • startup_name

    centosffjk

  • use_mutex

    false

Targets

    • Target

      d8d4a25dd484e96413ff9530e93621af5c53e96cf2b0435968f5fc72dad85d9b.exe

    • Size

      432KB

    • MD5

      9b07a0fdaa64049e857b3982eeb3a575

    • SHA1

      63d7d2eefd78ee4736243c8e32c305366603c579

    • SHA256

      d8d4a25dd484e96413ff9530e93621af5c53e96cf2b0435968f5fc72dad85d9b

    • SHA512

      49db3c66ee829534937ba0cc8f62f568cc04891b141e402d5c2c7961335efbd453f33bc57b218f9cf609b4a665df4b31810d4215d6e994c03934264b184c770a

    • SSDEEP

      6144:SPn3xY3d6ND9D/S4mAC09X1Qd6pOzWqGLDUz7j42W3Llin:SLNoS1Y6pq1AUvjW3Un

    Score
    10/10
    netwirebotnetratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks