Overview

overview

10

Static

static

3

Eurobelt R...DF.exe

windows7-x64

10

Eurobelt R...DF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-08-2024 21:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Eurobelt RFQ 203345_20200626100122637_PDF.exe

  • Size

    566KB

  • MD5

    e84685ec0b33fb56abead1aaf166b8ad

  • SHA1

    ea3d03757c1d1c053abe433a28fedc48eb28a6a1

  • SHA256

    e6db6d5f9019bdefffc749264a267c1927dcf5eba5a7ea3dfb10db457b6b2a16

  • SHA512

    49285b13846735cc76d7cd9c2af1e33156c7bcb90ada17e95dadb1b28c86086287813c90bc20640876035de180487622a40b85b96196faefb28bd256eebf578a

  • SSDEEP

    12288:9crNS33L10QdrXP/X+tGfnF2gqm1BRNWXlLslygCoPk6iS:ANA3R5drXPrfF11nNW1LslygH

Score
10/10
netwirebotnetdiscoveryratstealer

Malware Config

Extracted

Family

netwire

C2

sydor.tjsosda.com:5563

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    FRESH

  • install_path

    %AppData%\Install\msc0nfig.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Qx7cUxUUgS

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Eurobelt RFQ 203345_20200626100122637_PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\Eurobelt RFQ 203345_20200626100122637_PDF.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4724
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CD14.tmp\CD15.tmp\CD16.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Windows\system32\reg.exe
          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d "1" /f
          4⤵
            PID:2164
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\opener.bat" "
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4132
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fret.sfx.exe
          fret.sfx.exe -dC:\Users\Admin\AppData\Local\Temp
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5096
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\fret.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX1\fret.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3268
            • C:\Users\Admin\AppData\Roaming\Install\msc0nfig.exe
              "C:\Users\Admin\AppData\Roaming\Install\msc0nfig.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2300
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fret.sfx.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\fret.sfx.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1520
        • C:\Users\Admin\AppData\Local\Temp\RarSFX2\fret.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX2\fret.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3144

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\CD14.tmp\CD15.tmp\CD16.bat
      Filesize

      130B

      MD5

      78cf128c2c0b024aa9075d038f32c0f9

      SHA1

      ea941836117cb9f6d87a010806bbd5df58bd938a

      SHA256

      bc357caf1b6e8b12c5e257beaa3fe82a7b9ec2f982796ab699c86f8915e72d7e

      SHA512

      d523de37449552b99177cc3b510f068b2b2eeb1f30309d9e99320638e25e842df61357ae031cd2662c43e76c612ed2067e7c6319bf9e2e932793f0d5ee819c08

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe
      Filesize

      88KB

      MD5

      0c73e1dccd5e52ce5abb544b3c7f1f7a

      SHA1

      b283d5eefb8626c178467ff38aca9afc3e589343

      SHA256

      dd7413dd067439dd10afb0b9a2c76c5e30b8aba5413571a31c14d5589adf6909

      SHA512

      9181f32a9648ddf44d02881e4dc11269bb841f3d571b78ef2cb1652d53e355d733d70624ab9fdad06c9a270dee49d30170028e283f93bbf7c82926e3cecf2252

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fret.sfx.exe
      Filesize

      367KB

      MD5

      e511271bfd8344f13575c80d692ae02c

      SHA1

      3f75cb43fc93f216d24d95adcac17863000edff6

      SHA256

      552b6b86bf389ad37b7103930bf4b44fd3f57c2925af4b007c76dcb2e666008b

      SHA512

      c363063a462338b7f75b08ce35fa304e78178a5a6c816d4b938617fffb4da179ef4014c660db841dc71cbd0d1a96c6efd449e3d2598bf449c55a4fc85cf01768

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\opener.bat
      Filesize

      21B

      MD5

      14b6aa67bff27f67b794fd6581847781

      SHA1

      44d29ece8a05f7d46e4f31b1390dae67634f2bcc

      SHA256

      7418deba23971c4b160b5287633c173753becf26228f7d32e9c7cfc83502ae3f

      SHA512

      bac47e9f9f33664c2659029d12efc35508d0ce48b10bd60fbef16b87a7f727da92c2168f784411fca2d1bcabe9c8aafc65195843bdb63a59c2bd4fa0c604c45a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\fret.exe
      Filesize

      160KB

      MD5

      83e843be7858928a362bfd46b01b9dbd

      SHA1

      d8a0d091e7532961fcae6d1c466ce3ba4d34bb84

      SHA256

      57b59b6ff8c0140cda1b6b5f606effcc97411ab4663bf95cdc0b0f3511cbddab

      SHA512

      9fdce213e2fef8e7480f2f53adf7ff489910532a0bd91a9948d8ddedfbf27afdf8c1c4cb881c3585fdb7146a8095deed32b5d65498d38f913ee019f511e4d598

      Download Submit

    • memory/2300-49-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3144-50-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3268-38-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download