Overview

overview

10

Static

static

3

9bcd5d3211...47.exe

windows7-x64

10

9bcd5d3211...47.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9bcd5d32119ad1849d84c332dc796813d311eef4669f8f5f9fda9bb214dd8247

  • Size

    252KB

  • Sample

    240410-p585esgd67

  • MD5

    017ba3cb35528108f6c4e05db99f3572

  • SHA1

    e9f0be4cf478b2747e8a510e739b3c5b47b84f13

  • SHA256

    9bcd5d32119ad1849d84c332dc796813d311eef4669f8f5f9fda9bb214dd8247

  • SHA512

    67698b293e1fea90877d7ccc24114a1239d8751099ae27734856c0058d32b18128cdfc018c3efb3f2b93a23e8deba1d79fec675e20fe03cadd619fdc8b5947c6

  • SSDEEP

    6144:dtZVrgwrOgHFDHCZ9ZeGPULclm1TmI4/eE:7bQfeGAgxkE

Score
10/10
netwiresalitybackdoorbotnetevasionratstealertrojanupx

Malware Config

Extracted

Family

netwire

C2

noreply2host.duckdns.org:83

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Hostdyn.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    jXEwUDTB

  • offline_keylogger

    true

  • password

    Snoopy123

  • registry_autorun

    true

  • startup_name

    Hostdyn

  • use_mutex

    true

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

http://klkjwre77638dfqwieuoi888.info/

Targets

    • Target

      9bcd5d32119ad1849d84c332dc796813d311eef4669f8f5f9fda9bb214dd8247

    • Size

      252KB

    • MD5

      017ba3cb35528108f6c4e05db99f3572

    • SHA1

      e9f0be4cf478b2747e8a510e739b3c5b47b84f13

    • SHA256

      9bcd5d32119ad1849d84c332dc796813d311eef4669f8f5f9fda9bb214dd8247

    • SHA512

      67698b293e1fea90877d7ccc24114a1239d8751099ae27734856c0058d32b18128cdfc018c3efb3f2b93a23e8deba1d79fec675e20fe03cadd619fdc8b5947c6

    • SSDEEP

      6144:dtZVrgwrOgHFDHCZ9ZeGPULclm1TmI4/eE:7bQfeGAgxkE

    Score
    10/10
    netwiresalitybackdoorbotnetevasionratstealertrojanupx

    • Modifies firewall policy service

      evasion

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      0063d48afe5a0cdc02833145667b6641

    • SHA1

      e7eb614805d183ecb1127c62decb1a6be1b4f7a8

    • SHA256

      ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

    • SHA512

      71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

    • SSDEEP

      192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks