Overview

overview

10

Static

static

3

Skan Potwi...DF.exe

windows7-x64

10

Skan Potwi...DF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2024 06:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Skan Potwierdzenia.PDF.exe

  • Size

    128KB

  • MD5

    14395ac904015c1ca1ccb42df80a1859

  • SHA1

    781bcb5596fbcdaaa998ab77b4621c1000393fbd

  • SHA256

    0c141c1fe62782cb78e70d7c57a7b7d07b26a93ee058d271ff7f2fe4c04bfef3

  • SHA512

    a8a7c54725c7803ee4da2d7afcbdf52de21faa1567fa46545c4b3b20c4909d110fa7ee356a84d53554660ea32bdde7f7108b6071c7121c9c7ee9a6275cdd8274

  • SSDEEP

    3072:AsiXMqGmeABs/iOQlQF0fZyq/pRPFQrQKO854:BiRGzDB8MEptaO24

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

213.152.162.165:8747

109.202.107.15:8747

213.152.161.117:8747

213.152.161.229:8747

213.152.161.181:8747

37.233.101.73:5555

213.152.162.165:8733

213.152.161.117:8733

213.152.161.229:8733

213.152.161.165:8733

213.152.161.181:8733
Attributes
  • activex_autorun

    true

  • activex_key

    {N2P3036X-0CS1-AM05-7POW-541S3F314Q84}

  • copy_executable

    true

  • delete_original

    true

  • host_id

    03.23

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • mutex

    vvvbljPv

  • offline_keylogger

    true

  • password

    Mojekurwajebaneboty666

  • registry_autorun

    true

  • startup_name

    sys

  • use_mutex

    true

Signatures

  • NetWire RAT payload 6 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Skan Potwierdzenia.PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\Skan Potwierdzenia.PDF.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Users\Admin\AppData\Roaming\Install\Host.exe
      -m "C:\Users\Admin\AppData\Local\Temp\Skan Potwierdzenia.PDF.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      PID:1184

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    128KB

    MD5

    14395ac904015c1ca1ccb42df80a1859

    SHA1

    781bcb5596fbcdaaa998ab77b4621c1000393fbd

    SHA256

    0c141c1fe62782cb78e70d7c57a7b7d07b26a93ee058d271ff7f2fe4c04bfef3

    SHA512

    a8a7c54725c7803ee4da2d7afcbdf52de21faa1567fa46545c4b3b20c4909d110fa7ee356a84d53554660ea32bdde7f7108b6071c7121c9c7ee9a6275cdd8274

    Download Submit

  • memory/1184-10-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1184-13-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1184-14-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1184-24-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download

  • memory/2180-1-0x00000000002A0000-0x00000000003A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2180-3-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2180-8-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download