Overview

overview

10

Static

static

10

574b348f67...76.exe

windows7-x64

10

574b348f67...76.exe

windows10-2004-x64

10

6b4401690c...6f.exe

windows7-x64

10

6b4401690c...6f.exe

windows10-2004-x64

10

843c5f7a81...35.exe

windows7-x64

10

843c5f7a81...35.exe

windows10-2004-x64

10

bffb4b88ef...df.exe

windows7-x64

10

bffb4b88ef...df.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_2f49ad5cc742acfa2fd05a49012c9a78597bf02b10a2fa890864aefba2efab22

  • Size

    340KB

  • Sample

    241222-fbejaatngt

  • MD5

    baff9d8c1bce9c19a9bce50b42eb09c1

  • SHA1

    295d04370e6b3f2705ce7bb09ea617ae794fc506

  • SHA256

    2f49ad5cc742acfa2fd05a49012c9a78597bf02b10a2fa890864aefba2efab22

  • SHA512

    310c03bed079545a5dea131079d5e675be28558883f30f67e0ff7c862dc349dca25d44de218366cd32fb4b0b7fd76fcebd3c108cae22f2d492530854b93481be

  • SSDEEP

    6144:GXc2AVd2XSAfzVfymegEoqnUQMPWshHVhoNVCegEoqnUQMPWshHVhoBKZ3EreOe6:GXc5VMSofregTQMtnqXCegTQMtnqSEq4

Score
10/10
netwirebotnetdiscoveryratstealer

Malware Config

Extracted

Family

netwire

C2

nwire733.duckdns.org:7922

nwire733.duckdns.org:7920
Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    souAjTlI

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    true

Targets

    • Target

      574b348f67921ce34f660afe2ff75d0538bd5ea203739a77479dba7f026f0476

    • Size

      160KB

    • MD5

      21c97621d2f2374fa75d71282c566203

    • SHA1

      96c38ca646682bc8520059402c3b3fc976e7481b

    • SHA256

      574b348f67921ce34f660afe2ff75d0538bd5ea203739a77479dba7f026f0476

    • SHA512

      1a32a419f68183ac683c7c4e34bf7ba57e6db58131de714428ff672ef9786c818d2215fcf86841cb2e007b53a85921a450296e53e7bcd35c4a74e0c6b2b105fd

    • SSDEEP

      3072:jOzPcXa+ND32eioGHlz8rnAE0HCXh0edLvefYMjMqqDvFf:jOTcK+NrRioGHlz8rz0i/MzQqqDvFf

    Score
    10/10
    netwirebotnetdiscoveryratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Netwire family

      netwire
    behavioral1behavioral2

    • Target

      6b4401690cb0a07ee98ff3c5fc351b20c6e0a4ba7474c6ad858e5dc69a60b36f

    • Size

      160KB

    • MD5

      f3304cc314d7e62b283f262f01a6bcdf

    • SHA1

      714acf076bf6de8d1326e5f882d36bad8f012ed5

    • SHA256

      6b4401690cb0a07ee98ff3c5fc351b20c6e0a4ba7474c6ad858e5dc69a60b36f

    • SHA512

      a5be7c3d36108a07c77ac2ebaf05a9d4e1da8bbb023d161395ddc4e2fa3b082a3971cc453c2d881b3da348c68ce8e1551799a4e1611736b84c6226f959a3af4d

    • SSDEEP

      3072:jOzPcXa+ND32eioGHlz8rnAE0HCXh0edLvXYMjMqqDvFf:jOTcK+NrRioGHlz8rz0i/XzQqqDvFf

    Score
    10/10
    netwirebotnetdiscoveryratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Netwire family

      netwire
    behavioral3behavioral4

    • Target

      843c5f7a818681e3df212c80515cdce0bd56c6e178412736b8a22b15ebb35435

    • Size

      160KB

    • MD5

      9a9f389d7aa1a7e0ded19e72fa02e0f5

    • SHA1

      2e5d861fe576b7ba708dd754cd8e4ce880f2ea2d

    • SHA256

      843c5f7a818681e3df212c80515cdce0bd56c6e178412736b8a22b15ebb35435

    • SHA512

      27aa5aedcb458f858fe47ed9518b92ee6615ae03d9acd1b639f23ac0d360d377dc0f34dbdf299ff008916be15b6930cfff3a2c464e2c20e36bf17a6a5201a783

    • SSDEEP

      3072:jOzPcXa+ND32eioGHlz8rnAE0HCXh0edLviYMjMqqDvFf:jOTcK+NrRioGHlz8rz0i/izQqqDvFf

    Score
    10/10
    netwirebotnetdiscoveryratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Netwire family

      netwire
    behavioral5behavioral6

    • Target

      bffb4b88ef53beb49ba2af08212870b203a29c7fcd1c8f02e0a905e71a8af6df

    • Size

      82KB

    • MD5

      a4a8a89ce20e6f60d67140336e0a53cc

    • SHA1

      f8dd44e59ac4592637ceb48a386ecb7cb53b3d42

    • SHA256

      bffb4b88ef53beb49ba2af08212870b203a29c7fcd1c8f02e0a905e71a8af6df

    • SHA512

      2da47070fb9c39d09e6b9c706d4c85d5eb3928cbfb6271856068a30aacb8b9dd6df6e0680f59e5c2c03f2ff1a3d680d8ccafccebc8337c6763e0907918b27503

    • SSDEEP

      1536:ORC2p2bHgBjEAKsQHzIRiuoSL6EWCOSSUnEy9ZjBiVcUvnZjgf2c:O8bAuAfuIlHGEXTUqAcUBUuc

    Score
    10/10
    netwirebotnetdiscoveryratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Netwire family

      netwire

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Tasks