Overview

overview

10

Static

static

3

8D8C50D15D...FD.exe

windows7-x64

10

8D8C50D15D...FD.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_63f1c69cab92510cb09263e7a1fa636b441a41250da1ca85046544bf580aca9d

  • Size

    54.6MB

  • Sample

    241223-xws1vayjfp

  • MD5

    1a4e636db05d2f464afc14499a15d340

  • SHA1

    2c734f47f5b585dc7fe185e171ea2d0057bf23c9

  • SHA256

    63f1c69cab92510cb09263e7a1fa636b441a41250da1ca85046544bf580aca9d

  • SHA512

    d9c8fb48cd33a63e502858db4af8d2e66a3fddd794687089264ad9ebf97dd09cff06894b001a9a62e0bf3a50ece3869cea103aa7974894ac095330325fbbc38b

  • SSDEEP

    1572864:ehb5hAUvIT15MCmAH0Zw4+iu1lHtpHYxx:ehbTvw16CmA6V+NdHYxx

Score
10/10
netwirebotnetdiscoveryexecutionratspywarestealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://i.top4top.io/m_1891i29ay1.mp4

Extracted

Family

netwire

C2

alice2019.myftp.biz:3360

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    FRAPPE2021

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      8D8C50D15D14F3C82B0E8FD020C6DA47594E7B3FDA3997FAC8DDAE3F0B7050FD

    • Size

      54.7MB

    • MD5

      457576e35c46938aeffa39b5ba30be14

    • SHA1

      9d0e24a4c6af1869605f6a90f39c27088e2cc155

    • SHA256

      8d8c50d15d14f3c82b0e8fd020c6da47594e7b3fda3997fac8ddae3f0b7050fd

    • SHA512

      d2c186073e2868283f56ed5fe69b7f8076b6a126301b759bad326e2501360f1792ca4361c5056782f09398483903d72a989c489ef8ca23ccc686c6b31622a7bd

    • SSDEEP

      1572864:SHLQQYsZrYdPUvlFXMNAU+Dg+0PvILwy8d+lr2f:SrQrsZMqdFXW4Dglv0z8dUC

    Score
    10/10
    discoveryexecutionspywarestealernetwirebotnetrat

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Netwire family

      netwire

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks