Overview

overview

10

Static

static

3

c83d319f8b...86.exe

windows7-x64

10

c83d319f8b...86.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ib.dll

windows7-x64

3

$PLUGINSDI...ib.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

National-C...2.html

windows7-x64

1

National-C...2.html

windows10-2004-x64

1

challenge.js

windows7-x64

1

challenge.js

windows10-2004-x64

1

maximenuckmobile.js

windows7-x64

1

maximenuckmobile.js

windows10-2004-x64

1

planet-phi...y.html

windows7-x64

1

planet-phi...y.html

windows10-2004-x64

1

template.js

windows7-x64

1

template.js

windows10-2004-x64

1

Analysis

  • max time kernel
    147s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-04-2024 20:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c83d319f8b4f4ec7f158298617e52b99cb9cda0603799fc5789b6888791b2d86.exe

  • Size

    185KB

  • MD5

    38a2136cedc0162445b5cec855d85d44

  • SHA1

    71ea45dac1e072ad1afe791c3281d1a94bf71918

  • SHA256

    c83d319f8b4f4ec7f158298617e52b99cb9cda0603799fc5789b6888791b2d86

  • SHA512

    6f48d227588e40122aa44424502c23494b5d6f3b890f8445c69e0221b3e70b8198f3e173932edd59d1b047f944feaeadf3c87f145516550b658ed250c0d3e6e0

  • SSDEEP

    3072:yIWGC7W7BuDcYzIknj3WCW2EW5x45EWAzPAh/iAe4ggheTgmgWWEc9lj2neR6iPE:IGC7W7BUr6AOiAe4gkgHg/n12nS6c5Ml

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

45.63.76.86:1120

Attributes
  • activex_autorun

    true

  • activex_key

    {1R455CO6-36TS-LD3E-GQ01-UU88VXGO4JBR}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    MaHustlKoNiBaje

  • install_path

    %AllUsersProfile%\Antivirus\VirusCleaner.exe

  • keylogger_dir

    %AllUsersProfile%\Logs\

  • lock_executable

    true

  • mutex

    GkkuSoNR

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    true

  • startup_name

    AntiVirusCleaner

  • use_mutex

    true

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c83d319f8b4f4ec7f158298617e52b99cb9cda0603799fc5789b6888791b2d86.exe
    "C:\Users\Admin\AppData\Local\Temp\c83d319f8b4f4ec7f158298617e52b99cb9cda0603799fc5789b6888791b2d86.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Local\Temp\c83d319f8b4f4ec7f158298617e52b99cb9cda0603799fc5789b6888791b2d86.exe
      "C:\Users\Admin\AppData\Local\Temp\c83d319f8b4f4ec7f158298617e52b99cb9cda0603799fc5789b6888791b2d86.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\ProgramData\Antivirus\VirusCleaner.exe
        "C:\ProgramData\Antivirus\VirusCleaner.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\ProgramData\Antivirus\VirusCleaner.exe
          "C:\ProgramData\Antivirus\VirusCleaner.exe"
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Antivirus\VirusCleaner.exe
    Filesize

    185KB

    MD5

    38a2136cedc0162445b5cec855d85d44

    SHA1

    71ea45dac1e072ad1afe791c3281d1a94bf71918

    SHA256

    c83d319f8b4f4ec7f158298617e52b99cb9cda0603799fc5789b6888791b2d86

    SHA512

    6f48d227588e40122aa44424502c23494b5d6f3b890f8445c69e0221b3e70b8198f3e173932edd59d1b047f944feaeadf3c87f145516550b658ed250c0d3e6e0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\National-Conference-in-Sales-Management-3013382
    Filesize

    17KB

    MD5

    0a4a2e4a24592f8652dbc565c6a66a58

    SHA1

    282d9004cde9e2a676f8228ff561e885cfb7aed5

    SHA256

    0e3feedfdd5aacb3ce08e1973ffd86bd2708998a8339777e20936fce5c1c5264

    SHA512

    f2b76e81302f9bc08fb9edb8e58773c7832bf9485e88dc054657d77b79041c66ca902bb872da1c5c119cd27042e52f09bd6fd3848baf353b674d0fb90894e7b2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Z8zH61Ua.yg
    Filesize

    11KB

    MD5

    63eb8585fe4f1c64f870c8bf881bf4c1

    SHA1

    032062d976b03cf3e0d6ef1946e39fa0ec9d7f01

    SHA256

    06a46711da5a70739d79146fc2127ed9b0bf12b302a6959e0ef8c02aa9382e71

    SHA512

    79f2bebd7e7de4b10973b921a45d5386e0839fc24e2ea8a6c79c00b1e8e90b3c90521c07ee96b820593cf38fdeac83f4c9e0bc0a26cea945f8f47be91ec7926a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\challenge
    Filesize

    8KB

    MD5

    dd1274684075ce70b004944e8129e93d

    SHA1

    1e06992a48a6b74150221a3c0e1a46f4197a248f

    SHA256

    25d21a3a6b617e3a88073aab38c7e896b6e3a6de3ec0a2e71b914282e569f529

    SHA512

    5d4956ebac47779920c3e4347d71a6a719afec9bd271e3898186524a33c8c21358a2b9edf8d560962b863ba10b97d85a606d5b27713188d7495c8227045d227d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\facebook_desktop.jpg
    Filesize

    8KB

    MD5

    a6d7aea12e39ded8bc2f2337888b373f

    SHA1

    46136fd27d6107f8e2adccf70862ea0ef5529010

    SHA256

    b0ddd10ad1c95864b9d14ac063d507d45a3e4c59079530d21591b854ea586abd

    SHA512

    27ef5e43668ba0dfaa5df5eec824f397fb734e65961511bac3829a3d4b82b924d9fb65dc5c3ae58939ff38213dab2fb2e21ff10900ebb73d3cc661bc381be0b0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\flexslider.css
    Filesize

    3KB

    MD5

    b7e2f1e2fcfc0b6352249d393a0d7a9e

    SHA1

    30a9e8ac20e0ca743144ce9cc34a3eb83dc650a8

    SHA256

    504172619913a0335e27cd90f92214e8f33fe11961b856b22d053c57baa7aa6e

    SHA512

    34d4b077432420d64b0a053faf0d8a22191fb8ab0995d7deda071cc77ba2b9025c2ea45998860883ebe9f031d908936ed2ee574b35d5a1136766330af71c7b75

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\maximenuckmobile.js
    Filesize

    6KB

    MD5

    46603c413c393c9575b33f3330afc1ca

    SHA1

    2203cad76739e8a301d5b4eecc1faf928154f152

    SHA256

    6f010f776f492084c332626f6e3edf82846e7461e09dbec84f3413fe7a530c10

    SHA512

    e76ee316a6322351ca727797d93086ede1a37aac5ece47ec7dc95f3106406bc0e20ea8d5523bc9bbf1dad4e3a673fc5649d974bde682aad55d09059635079592

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\planet-philosophy.html
    Filesize

    996B

    MD5

    5cec327786d139b695754039c0a740eb

    SHA1

    5cf1426f7f39ec276ea1b1da9ddc8bf14cff0ee8

    SHA256

    a0c9f40c881627e27cce7fb403b92115345e62a8b34ce2d23357e71d161d7dc2

    SHA512

    0648f0136598436d46ecf272f45fa5bbb5ad66d0f043d289a12f9971aae65bd6ecbeeeb7f070c80ce6fdd223c7b6f7a8e9f07e11d341bc7c7ffcba5b54acd27f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\search_x2.jpg
    Filesize

    2KB

    MD5

    09d6124079f24d0a7244a0df6b0a5f03

    SHA1

    710cb2305c1d5fc3c04481e6be72d34babef111c

    SHA256

    3dfb96687b0848b09705cb3f50994ae36f32bcecfa3a04a17a48f3ef00a894dd

    SHA512

    b337e3a2fe91161b1bdb06ff047e65f08701c4a4997da49e9c20de06823afa25189cf7b8ef7b8f6061a3302a2313da7c345a7d078563ee73f2a4306c83928055

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\template.js
    Filesize

    1KB

    MD5

    5c2caeb64fc97d72abdbb36f0e08eb4d

    SHA1

    f937168b8206e1886d39d98ac0252b019bce33f5

    SHA256

    ce6bb495c89ece63d70d40434176fa04ce5047eeb9e5aace93511aa2954e0038

    SHA512

    360b6a349ccabeebf69de6b3033f2e0f6711fa6c15ace6a58e26baf30749aef88726359ced7686f6794182640b4b15099a9a9b9ab395123b22c60687c6fb2412

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\uBzGy37GaBDacIf7.Ji
    Filesize

    87KB

    MD5

    4879286d9a4bd8533ceceda07bcb9fab

    SHA1

    cc2b89321354de489216535df865c3f9473be41c

    SHA256

    d38cc02e7bdf9e8c7cfccde4aa0cdd88339fd047a8567b2037dd1bb2e2e80e0c

    SHA512

    853f686f5e00e3e8a676b93721ab521c1001827fe3c37513a63cd3f81c7522a19d5d5a30fdd43e67e889c5893a87002ce830bd2d73522e87ad7a70ccdf281791

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nst22BE.tmp\System.dll
    Filesize

    11KB

    MD5

    3e6bf00b3ac976122f982ae2aadb1c51

    SHA1

    caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

    SHA256

    4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

    SHA512

    1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

    Download Submit

  • memory/2556-23-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2556-21-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2556-18-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2684-64-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3048-20-0x00000000005C0000-0x00000000005C3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/3048-16-0x00000000005C0000-0x00000000005C3000-memory.dmp

    Filesize

    12KB

    Download