Overview

overview

10

Static

static

10

ad61c38058...18.exe

windows7-x64

10

ad61c38058...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ad61c38058a97de9f3d610006fd159e8_JaffaCakes118

  • Size

    132KB

  • Sample

    241128-yemceaxra1

  • MD5

    ad61c38058a97de9f3d610006fd159e8

  • SHA1

    00a5df71070570f2753c4fef66b0c83c739144b8

  • SHA256

    f983b53021ae52b29ae2d85985c20f8d5275bb0850eec251bf19febb7643c4f4

  • SHA512

    a6e0009b1aa91540e2907a703da7771a7740a72ec248760ff0ade028310f8d8d41b6716bbb23e773976139f1587dfe74b5af6967dc987e3d8cd03127024941d1

  • SSDEEP

    1536:dtTSUSKzF0Lh9a7WraTWFbmDHVXWRVAzZ8MfUSl7Q3rwXvrw5ggZG:dt5SKzF0Lh9a7IGW9GHeOFVvc3rbZG

Score
10/10
netwirebotnetdiscoverypersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

KhaosStorm.100chickens.me:3360

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    Chicken-%Rand%

  • install_path

    %AppData%\Microsoft\MSASCuiI.exe

  • keylogger_dir

    %AppData%\nvidia\

  • lock_executable

    false

  • mutex

    IFTbtVwP

  • offline_keylogger

    true

  • password

    T3Ih8"8!n{

  • registry_autorun

    true

  • startup_name

    Windows Defender

  • use_mutex

    true

Targets

    • Target

      ad61c38058a97de9f3d610006fd159e8_JaffaCakes118

    • Size

      132KB

    • MD5

      ad61c38058a97de9f3d610006fd159e8

    • SHA1

      00a5df71070570f2753c4fef66b0c83c739144b8

    • SHA256

      f983b53021ae52b29ae2d85985c20f8d5275bb0850eec251bf19febb7643c4f4

    • SHA512

      a6e0009b1aa91540e2907a703da7771a7740a72ec248760ff0ade028310f8d8d41b6716bbb23e773976139f1587dfe74b5af6967dc987e3d8cd03127024941d1

    • SSDEEP

      1536:dtTSUSKzF0Lh9a7WraTWFbmDHVXWRVAzZ8MfUSl7Q3rwXvrw5ggZG:dt5SKzF0Lh9a7IGW9GHeOFVvc3rbZG

    Score
    10/10
    netwirebotnetdiscoverypersistenceratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Netwire family

      netwire

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks