Overview

overview

10

Static

static

3

SHIPPING D...TS.exe

windows7-x64

10

SHIPPING D...TS.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    93468b5e05bf23494fc3d98ff6177fce_JaffaCakes118

  • Size

    474KB

  • Sample

    240813-qq2mgawcrh

  • MD5

    93468b5e05bf23494fc3d98ff6177fce

  • SHA1

    4a23e7171433f01a1c38a75022c8c7bdaa63d1ca

  • SHA256

    ee1ae389aa71260288e7ea3986e4d94d59a88ff535fa3d93647ec3da6e84c009

  • SHA512

    e4c210ac077ce9cf1fe4d9cc18cba5a8f4b178dcc5af5aeb489237bca521d44335ca169e36656bce88ae65e0e32643bd2358556c67b5f434636dac355d9f4d9f

  • SSDEEP

    12288:aD3rpMI0lj70gb0yx4Fo821KLADaKjF9i/Zx2s:OMdPx4H21Ki3i/Zgs

Score
10/10
netwirebotnetdiscoveryevasionpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

tolatilb.hopto.org:5670

Attributes
  • activex_autorun

    true

  • activex_key

    {ARKWV8XR-0V11-5L31-Q3I6-515D7K30E4DC}

  • copy_executable

    false

  • delete_original

    false

  • host_id

    ZIX

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    JHhxVwqP

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    true

  • startup_name

    NetWire

  • use_mutex

    true

Targets

    • Target

      SHIPPING DOCUMENTS.exe

    • Size

      719KB

    • MD5

      73c8dc59cfccfba80cce3a49581b4bda

    • SHA1

      6eeea6102a8e567a3a8131848071d30c914cb157

    • SHA256

      7b008555d37ba7bf03a502e216f6c822e36fd6fe9a8299bd6fd5fe66bbfb412a

    • SHA512

      dbd423ec1aab93e9248cfc9881ba103dc0715435ab9f22db7f955430b4d53c19efae5d68cb1058ce732284937b3e212ef429430c2dadc744d09b4ed21a1a76d9

    • SSDEEP

      12288:WJ8ql1aT4cYRt4ytVRO2xS5tMSnBZ0ihPw+OZi9709iDACMBPTGtT4APgV:u8ql4T4nU0RO2xScSBSKfOZ

    Score
    10/10
    netwirebotnetdiscoveryevasionpersistenceratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Scripting

1
T1064

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks