Overview

overview

10

Static

static

3

9be6abe91d...36.exe

windows7-x64

10

9be6abe91d...36.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-04-2024 01:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9be6abe91db5212e333a086a8f9db157c08f7cf1eeb9020f6cf13444ddab8036.exe

  • Size

    467KB

  • MD5

    6fc817f7c53beea30c55d55779cef31d

  • SHA1

    ec9f6005ccbc9b8f3286445e9d071c3f3751d52b

  • SHA256

    9be6abe91db5212e333a086a8f9db157c08f7cf1eeb9020f6cf13444ddab8036

  • SHA512

    5ecbe0be020007f8deb7b9471a23345863368a149790ca026517831339d167c37a50c65a91c449cdae1d090d17cc31638298fa5a98ac99feff6f77587cbea0f4

  • SSDEEP

    6144:j2OGscfKNO6bRDnqY9Nt3o9LresPnp4v26BEWwmJR5QeV3rQCVsOI0XlAU9k:27fKNx9+Wz0OsKVElwLVO0XlF9k

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

dnsresoIve.ns01.US:15111

dnsresolve.srz2l6.com:15111

PLUGINUPDATES.duckdns.org:15111

updateavlocalgenuine.com:15111

localupdate.ns02.info:15111

dnsresolve.nsl1.cc:15111

dnsresolve.srs8l2.com:15111
Attributes
  • activex_autorun

    false

  • activex_key

    {A3N5KUJ4-U7S4-6J45-1DJ6-32HM4W8Q0615}

  • copy_executable

    false

  • delete_original

    false

  • host_id

    AVR-goK2Sm

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    DuleX

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 3 IoCs
  • Detects executables packed with MEW 6 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9be6abe91db5212e333a086a8f9db157c08f7cf1eeb9020f6cf13444ddab8036.exe
    "C:\Users\Admin\AppData\Local\Temp\9be6abe91db5212e333a086a8f9db157c08f7cf1eeb9020f6cf13444ddab8036.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3912
    • C:\Users\Admin\AppData\Local\Temp\9be6abe91db5212e333a086a8f9db157c08f7cf1eeb9020f6cf13444ddab8036.exe
      "C:\Users\Admin\AppData\Local\Temp\9be6abe91db5212e333a086a8f9db157c08f7cf1eeb9020f6cf13444ddab8036.exe"
      2⤵
      • Modifies Installed Components in the registry
      PID:2944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2944-0-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2944-1-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2944-6-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2944-7-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2944-9-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2944-16-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/3912-2-0x0000000002210000-0x0000000002211000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3912-5-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download