Overview

overview

10

Static

static

3

ff7db4ae23...cd.exe

windows7-x64

10

ff7db4ae23...cd.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ff7db4ae2310849b37e2913a3abaf8b47aad0ba4c8ed7cd736673d634e7a90cd

  • Size

    178KB

  • Sample

    240915-drykzsshrg

  • MD5

    0c825821ffa1edd6b6455eb841c0af7c

  • SHA1

    be21aee0ae7b91e830c65d5282c20c8d4e3df3cc

  • SHA256

    ff7db4ae2310849b37e2913a3abaf8b47aad0ba4c8ed7cd736673d634e7a90cd

  • SHA512

    515f1d48467711d1f5b0992eabf00f457a8cf6701333d385f66fbddf396b62f14a0ae13f9fd06e3788efa3fce4707f111ec447a3e6746b8b33bf10b15f76db38

  • SSDEEP

    3072:I7VNBmjq8Kmvn6rIVTYC7H2rAalUW4R6rv3p8WStxlQu2VCPwK:I7VzxYnWI6agAalr4UrPp8WStPQu289

Score
10/10
netwirebotnetdiscoveryevasionpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

wallou.publicvm.com:3365

mediafire.duckdns.org:3365
Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    DLL2

  • keylogger_dir

    %AppData%\System\

  • lock_executable

    true

  • mutex

    KgpcGWmM

  • offline_keylogger

    true

  • password

    Reborn

  • registry_autorun

    false

  • use_mutex

    true

Targets

    • Target

      ff7db4ae2310849b37e2913a3abaf8b47aad0ba4c8ed7cd736673d634e7a90cd

    • Size

      178KB

    • MD5

      0c825821ffa1edd6b6455eb841c0af7c

    • SHA1

      be21aee0ae7b91e830c65d5282c20c8d4e3df3cc

    • SHA256

      ff7db4ae2310849b37e2913a3abaf8b47aad0ba4c8ed7cd736673d634e7a90cd

    • SHA512

      515f1d48467711d1f5b0992eabf00f457a8cf6701333d385f66fbddf396b62f14a0ae13f9fd06e3788efa3fce4707f111ec447a3e6746b8b33bf10b15f76db38

    • SSDEEP

      3072:I7VNBmjq8Kmvn6rIVTYC7H2rAalUW4R6rv3p8WStxlQu2VCPwK:I7VzxYnWI6agAalr4UrPp8WStPQu289

    Score
    10/10
    netwirebotnetdiscoveryevasionpersistenceratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks