Overview

overview

10

Static

static

3

1c95e2de3b...41.exe

windows7-x64

10

1c95e2de3b...41.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

SFhelper.dll

windows7-x64

1

SFhelper.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841

  • Size

    183KB

  • Sample

    240624-k4rfrsvcnd

  • MD5

    20ddd5396553be13fef4c8e6b2b481e9

  • SHA1

    6b109b238c1245c7e81fe0b4a2e2859450e375b6

  • SHA256

    1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841

  • SHA512

    ecb41f267006bf879698376c91d9f5b07537a0cbee0240d631b931a5838376f38e86f6328e22c47520080918a72a397194e3c80f26bfb6496a2a7c9ebffc7d9a

  • SSDEEP

    3072:m8Dsp+FNX1dFOvDlXJu545fL0MgJekMBdSSe/cIN7hIWaWk14FiFTFslv:m8dNXSE5QL0MglEtYcIZLtswlv

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

123.242.227.5:443

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    INTECHNGC-%Rand%

  • install_path

    %AppData%\Eggs\ngcservices.exe

  • keylogger_dir

    %AppData%\EggWriter\

  • lock_executable

    false

  • mutex

    PisPfLxv

  • offline_keylogger

    true

  • password

    letmein

  • registry_autorun

    true

  • startup_name

    EggProducts

  • use_mutex

    true

Targets

    • Target

      1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841

    • Size

      183KB

    • MD5

      20ddd5396553be13fef4c8e6b2b481e9

    • SHA1

      6b109b238c1245c7e81fe0b4a2e2859450e375b6

    • SHA256

      1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841

    • SHA512

      ecb41f267006bf879698376c91d9f5b07537a0cbee0240d631b931a5838376f38e86f6328e22c47520080918a72a397194e3c80f26bfb6496a2a7c9ebffc7d9a

    • SSDEEP

      3072:m8Dsp+FNX1dFOvDlXJu545fL0MgJekMBdSSe/cIN7hIWaWk14FiFTFslv:m8dNXSE5QL0MglEtYcIZLtswlv

    Score
    10/10
    netwirebotnetpersistenceratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      883eff06ac96966270731e4e22817e11

    • SHA1

      523c87c98236cbc04430e87ec19b977595092ac8

    • SHA256

      44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

    • SHA512

      60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

    • SSDEEP

      96:UPDYcJ+nx4vVp76JX7zBlkCg21Fxz4THxtrqw1at0JgwLEjo+OB3yUVCdl/wNj+l:UPtkuWJX7zB3kGwfy0nyUVsxCjOMb1u

    Score
    3/10
    behavioral3behavioral4

    • Target

      SFhelper.dll

    • Size

      60KB

    • MD5

      a2f3195a34dfb07900fc784a32a37d3f

    • SHA1

      7e60c4ec6e1aece0de663f5ca614d22a77cc680b

    • SHA256

      c0234f29167c2d0b6284dd3a32a0a6c1ab9bbd2f2475ccf5c3e758d4070835ea

    • SHA512

      3aaaebdad04878af5a9692308b1ee7f91dd6682f9b046a23e803001bb6df5b87550a06c1c3b4be93169a582935859e3af0fce2947e01d56ead3bb204a9458c55

    • SSDEEP

      1536:6QkiaCePX+reI3QkQpWhuVXSigCWgOQgrfqC:6QkiDePiP3mpWwVXSigKONL

    Score
    3/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks