netwire | 5328d5f480f89cf93fe4f578facaa9622f36e802c436ed20b9d83e11b98700d3 | Triage

Sharing

General

Target

Orcus RAT.rar
Size

19.0MB
Sample

241216-2gnj2askaz
MD5

95a7746090144dc426034bad7607b0cb
SHA1

ca2657264f6a151fc5c8f3a1855850a03fbf19b8
SHA256

5328d5f480f89cf93fe4f578facaa9622f36e802c436ed20b9d83e11b98700d3
SHA512

1e235c9a15aefb7ddc392c2836d3b7654723f602ff6ba4e98df16057a212813517733d32af43da07fb9d1f5af4d21c987efed6391e51413a83e6553e6ece5749
SSDEEP

393216:e22NGiEPwMcIurI/hL2O9tMiP9WkmsdK+yW6yPbiFc2xF4c08jkbb:V2o34tI5q520mn6yV+4c0bbb

Score

10^/10

netwire orcus discovery execution rat

Malware Config

Extracted

Family

netwire

C2

hazbot.duckdns.org:3360

Attributes

activex_autorun
false
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
fYGiNfhu
offline_keylogger
true
password
Hazza2021!
registry_autorun
true
startup_name
NetWire
use_mutex
true

Targets

- Target
  
  Orcus RAT.rar
- Size
  
  19.0MB
- MD5
  
  95a7746090144dc426034bad7607b0cb
- SHA1
  
  ca2657264f6a151fc5c8f3a1855850a03fbf19b8
- SHA256
  
  5328d5f480f89cf93fe4f578facaa9622f36e802c436ed20b9d83e11b98700d3
- SHA512
  
  1e235c9a15aefb7ddc392c2836d3b7654723f602ff6ba4e98df16057a212813517733d32af43da07fb9d1f5af4d21c987efed6391e51413a83e6553e6ece5749
- SSDEEP
  
  393216:e22NGiEPwMcIurI/hL2O9tMiP9WkmsdK+yW6yPbiFc2xF4c08jkbb:V2o34tI5q520mn6yV+4c0bbb
Score

7^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  Release/Exceptionless.Signed.pdb
- Size
  
  828KB
- MD5
  
  86f540c812a6bed193326c77bb5942f1
- SHA1
  
  dee328bf660443ff9579ce678fa0ba8c7a72a8cb
- SHA256
  
  dd797c1bb0d3ef0027c7b1c4b39b1ee3fdf307d59ce3f0c62ce97caa27fc2d8a
- SHA512
  
  2f2a19ff28c540cbbb9b059efe964ab42923578d688c1ccca5d901592cc85cf78d50c87683e50c7269ba2f7e793cfe8eab0fe0fe161a7b647ce0a22bfda3b5b1
- SSDEEP
  
  12288:+XlVPlmdqWo1j2KIJEPnzvX9ev9Z74c3exDeTQGHxM8s:R4WC2TS/bXwvTsSTQmxE
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  Release/Exceptionless.Signed.xml
- Size
  
  662KB
- MD5
  
  853d1ddb96998454cdcb44f4d55cf78d
- SHA1
  
  46294053a1ae0451cdc783757d64f60b40585d63
- SHA256
  
  88b6a28e7be89258bbf18a82dc30ec15807b8202bdf83085b300c4f6da6626ef
- SHA512
  
  52d3b9cfe64ecd773bbc2ff4779665fcfd0baee54a7f34be82f2ef94affb1bd0590561bbc0ad1e094e2316b168555f48ef7aef50633e89d3dd0df0239cb2c62d
- SSDEEP
  
  6144:5bvQ/le8+NyYPrnX75jH2AZypAS9FQRHVpaFMTd7JASERIFu86uIlC9qOgLuyvLn:5/6
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  Release/Exceptionless.Wpf.Signed.xml
- Size
  
  1KB
- MD5
  
  37125212f6c1a854285080c32a21aea8
- SHA1
  
  ab58c4e0fa53f93fe23f17f132a794ccf296f3fa
- SHA256
  
  2175df5b1bbd41ec159e5b51cbccf03b8d9a09bccab527182072dd01a2705ac7
- SHA512
  
  60996ea9a70a961cd3fa93b89c8b7b2fb56a3a923291744f4d4a9ec6863630fb06c95ea365011ede389a73abb4454a0cc5f704fbc16399d3600904fcb16c4cb0
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  Release/FluentCommandLineParser.pdb
- Size
  
  137KB
- MD5
  
  53c0253afa7cf1c2a0c13a4d01869504
- SHA1
  
  5753997682c6b57b8f8a946382220492d45665bd
- SHA256
  
  2d812996cbdc1fdeddc1a9a9807e7dccae1708cc11def2c950fdb77261a0f21f
- SHA512
  
  54d7d3da8fcc17ceb4446bb0a682dac1f85d68330ee5efe96b527d75a5b2a49a436e70a9272fc453738af7dc9111232b7bbee38468cbde74cb11ebde40090be8
- SSDEEP
  
  768:kvhMjucRacU9+lQUk7FWAEqeZjQv0tpn26Ks5VYrHxp:/ucRacRi7reZjqw2Z
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  Release/FluentCommandLineParser.xml
- Size
  
  116KB
- MD5
  
  e479f4c914c9c0fab2ecc86e31cd1d93
- SHA1
  
  386bfea40ba5ba1b78cb210cb8de5ef227067d0d
- SHA256
  
  0cf7bc714b9a0e327723fd9728ef3b839e2f4f19eec7a2868127c88e810c7aea
- SHA512
  
  cfc1729531241742aa36cf11479716a3115bd82cc8b9d8624adf5cad88551fd9f60f594f942ff5b662e5061bec3177fc15ddbe0d831ab424e2a96e2e5570accc
- SSDEEP
  
  768:KkkM87lE8lT51nmVc35ZfQfvoa4jm8DYidrq:5Tc35ckl0ixq
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  Release/GongSolutions.WPF.DragDrop.pdb
- Size
  
  207KB
- MD5
  
  fe261eb5106b977e776d55a75e34350e
- SHA1
  
  c9a0928bcf3c5f774cda99441a6eca517c476c12
- SHA256
  
  2b4c2e2bbca8f975f6edc2f1031dcf72bca3b0cab7ebc7ac180e09ef78ee4695
- SHA512
  
  5db914487de4af2b859b535e9484a4c38bc13d7ec46b2b0be496dfb074720c61434a2ef8cd9dd080c3708c03151c26e072da24a4eb8363fd29701c6607dd6489
- SSDEEP
  
  1536:wVk5Jfp3FxhFrRVxQaWiaaiSwZbZRTm62l9uuu/NcHZ756GqYTT0s+u7okB1SQK2:BnsYT7dDSQTlRG1dBrXNiQ4dBrX
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  Release/GongSolutions.WPF.DragDrop.xml
- Size
  
  72KB
- MD5
  
  acfd3c87541898ddbe58ac661155cf23
- SHA1
  
  1699d1d9be61144085f16996698c52b51eb4215c
- SHA256
  
  bdda71a532d81e93f5713fc096d4b0b423d38272674799c5cd26ce4b26d4ca02
- SHA512
  
  64cc79c2f8c62da97c90b9bf9484f8bcf0e586d470aefeed49976c04da07a1601b5abbc34939180568b72a055032a7a6293c3bdbb75825cd936e342da8a479eb
- SSDEEP
  
  768:hKE6JuJJ+7d7BfmXB9DtbI8OAM/6OhDfkn/fZII9n+Y4t/gtzMHKk:hr6HZoB9Dt+6ZfZII9n+Y4t/gtzMHt
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  Release/ICSharpCode.AvalonEdit.xml
- Size
  
  582KB
- MD5
  
  5bd494ea6ab9ed3a0dd5f4736a6c1f8d
- SHA1
  
  9ffb4fa061171eeba0714cad028c4655aa2d241c
- SHA256
  
  a8de4e43ec6747781a7e01a7e5d51c92cffff32879e6bc3795c75c9ac90fd9cf
- SHA512
  
  60eb5a1a8b253e680bfe4340c2ef4810ef3089124959804436a1a910a8750208972623923e7613a03a41db0d08a93c568c7b424a5406bb5ea40453f2c617a71c
- SSDEEP
  
  6144:sFilxsTCj3BkjMG8AitANoPNzLINIFlhgTS9ycdxyhxYYbqEt:9g2Yc4
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  Release/MahApps.Metro.IconPacks.Material.xml
- Size
  
  9KB
- MD5
  
  01439430243696f2ac9eae521649f4db
- SHA1
  
  03453f8ee3ef81a4c2f43f49d8affa07a4d62873
- SHA256
  
  678ea9afbe0406875f3182b6654743200c5f1297ab4b9ac07de1b4eaa09e4b27
- SHA512
  
  ebcbf88dd370f4356bd964bb5c6ec495c3aa1484460d7d1a3a821b49ebbda9aaa128948b6ec98ff4bda1e553759aa1bce533fa6bd10d52e03b508139811f2a49
- SSDEEP
  
  192:xiCcRF9RSJrnMqwYHW8YUrFTz0A8oYw6c6wAI7ivS43u0X6LiV4AHF8Q:xiCcRF9RSJrnMqwYHW8drFToA8oYw6cW
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  Release/MahApps.Metro.xml
- Size
  
  373KB
- MD5
  
  0c8bce16598497ef3057e11ec1993707
- SHA1
  
  ce3695594d2ac344630c4486761770b89221522e
- SHA256
  
  5e95cbccf4d2132109d55bef3bb49c6c83920a20fa99cc1a3c5e26234a58052e
- SHA512
  
  7080facff2734d2c24fa1948dd60aec8a6ec70f6a252e8aee672b5532ee0431a7699a2371ea390af71893ae7b3c4843a57ed50fc4407b2632763ede713a91aab
- SSDEEP
  
  6144:Bm9j36hRyWTBKcqsjYCGGEauE72mJjAD51GA:Bm9jLGA
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  Release/Microsoft.Threading.Tasks.xml
- Size
  
  49KB
- MD5
  
  fa83e973ba2842c66deee48be6bd5167
- SHA1
  
  7e5e5d1fd31400b24ca4a6bebf818eaa63c2515a
- SHA256
  
  1b88c8dcbc2b8f05571ff63af36e10ddf6f4e348ae51d54565dc8a7b3bb487e3
- SHA512
  
  dfb3ded8a0faebbafe2ed1add4bc6b2958de833a4a6cd4b405d6a6967ab8a34d0d9680717d615745a8a516d80b78739ca37e1fc78212675f4ef70bba008fa02f
- SSDEEP
  
  1536:9FjksQsKC8U53CNkgZ3a+HrOC0fxvHUiQJYvBvck2PkmcDQ2Cb9E28:9FjksQsKC8U53CNkgZ3a+HrOC0fxvHUm
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  Release/NLog.xml
- Size
  
  1.6MB
- MD5
  
  ca532230ede750dc11c7e26c521f382f
- SHA1
  
  f8db7f7bf3c5a7b68caa072d79064efc52f66abc
- SHA256
  
  0840395f0ef1bff0746895255c19af38e7775d3c316892e94c6514e834e3bfb5
- SHA512
  
  5025b6ee3e9c56d902435d209c75a3a6a873b489656b0e42bdbcceee8f3b083a1f06b74ae436552e00ccee0c1d0d6726408fecf2a68091b442e44ebc79b80929
- SSDEEP
  
  6144:3bDXjSkDsv6ZrgFOG3We13QixCx8ZaRIHp8TEKcQonqDhIrMBc+6z+beoX:PH15e8EKH
Score

3^/10

execution
behavioral25 behavioral26
- Target
  
  Release/Newtonsoft.Json.xml
- Size
  
  693KB
- MD5
  
  f414b3f68fe7c4f094b8fe8382f858c9
- SHA1
  
  66ee1b3266fcedde433b392156ab4a24262b2f34
- SHA256
  
  2d46b37b086d6848af5f021d2d7a40581ce78aadd8ee39d309aee4771a0eeccf
- SHA512
  
  19b2feb40c2e9d4d20d9a21f88f6ecea773060c056b8cbbd21a6eec41486dc5fc101e6c31129b0d53466d04709bcd4ed777058ddfb02532242b43e253a7b24bd
- SSDEEP
  
  6144:XqqUmk/RikeaG0rH3jGHdl0/InHHpgVIeR0R+CRFo9TA82m5Kj+sJjoqoyO185QA:DUq
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  Release/Ookii.Dialogs.Wpf.pdb
- Size
  
  27KB
- MD5
  
  e9b456e2db3949a55841e5648a01525b
- SHA1
  
  d049df5b7773479aa30a0e6f067faa35bce26a85
- SHA256
  
  97c348afc7e56e7316b13aeb94b4ee5e6fd2164dd3033a94c37da5aa1a15f744
- SHA512
  
  e61943dad87f5669badd931d0a6be84582c308cf8881bc12ee4ceaf515dadf5bac88b50fc1f48e21b1a49854b1c9e3a65752adad97c1822a2b9250d8a94a5bbb
- SSDEEP
  
  384:edH+cRrFSmgWFIFuS0NS4L0qcaT+I5/WosGOFTdJBU2nxvRUucXzQzv87DxJYO3V:WeSrcFV0E4LTcCroF9v6RDQzSdaNXG
Score

3^/10

discovery
behavioral29 behavioral30
- Target
  
  Release/Ookii.Dialogs.Wpf.xml
- Size
  
  175KB
- MD5
  
  d74d6de4cfd3f9d8793c83fa20031a8a
- SHA1
  
  645092cbbec4fc9194a13074de516e9d47913927
- SHA256
  
  7b518ab6d5f879f63b1d2f0dd5e0859f7b93fbbd77914713c9f4d43079ff906d
- SHA512
  
  9d7aed29bdf0cd04424b82e44b8925d6cd5a36e52b6b82cdedda156ff211ee78550d87966036cfe3c1c3b40740a2547b3d009e56ae236b8dee02acc47596b38e
- SSDEEP
  
  768:XXPUqdZgrZO7ZbkZKSZzY4gAPZooHDiDbDfDNSDcDLjDZgSZGw18WZdKBNGqBF1E:uZbDiDbDfDcDcD/DZgSiWnIF/H0Tx
Score

3^/10

discovery
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

ratorcusnetwire

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32