Overview

overview

10

Static

static

3

9bf329e795...33.exe

windows7-x64

10

9bf329e795...33.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2025 00:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9bf329e7953beea80c3dbb8e26886f42b54b46e2f79af7f86ed14b8d9b63be33.exe

  • Size

    296KB

  • MD5

    cd33c4a8aaef3f7b498e0969a680e0f2

  • SHA1

    d21f8b6d0c039d048836ceb19be8242c254c79ad

  • SHA256

    9bf329e7953beea80c3dbb8e26886f42b54b46e2f79af7f86ed14b8d9b63be33

  • SHA512

    4a256aac97f158481df8ab6702182133fea84d5622ec51d3fb621ab761dd6356a7bae679d3d4fc7a5f7364c466dc48ded7adede64cc51195cab9d5f8dd4a9a58

  • SSDEEP

    3072:tg6pbDIqOnD6rdKRMvXs+oCTZG9QBNctlVeFAnhPQ12uDefLFmLf9WL5Bcxw6:5Ddrvv8O1Ga9qtH5mLfoAD

Score
10/10
netwirebotnetdiscoveryratstealer

Malware Config

Extracted

Family

netwire

C2

wealthyman.brasilia.me:39560

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    WEALTH

  • keylogger_dir

    %AppData%\music\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    sucess

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Netwire family
    netwire
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9bf329e7953beea80c3dbb8e26886f42b54b46e2f79af7f86ed14b8d9b63be33.exe
    "C:\Users\Admin\AppData\Local\Temp\9bf329e7953beea80c3dbb8e26886f42b54b46e2f79af7f86ed14b8d9b63be33.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "Evakostumet1" /TR "C:\Users\Admin\AppData\Roaming\Haandevendingerne.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:4924
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /run /tn "Evakostumet1"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4164
  • C:\Users\Admin\AppData\Roaming\Haandevendingerne.exe
    C:\Users\Admin\AppData\Roaming\Haandevendingerne.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    PID:404

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Haandevendingerne.exe
    Filesize

    296KB

    MD5

    9cf41d620b814126eb4aadfb76f3b663

    SHA1

    ef5dcc33db32f2c72080c96f4033e7d35e7d670d

    SHA256

    be31a42fc1025ed3b00cb91a080dce5496c35bde013bcaddc1adae46b76078f9

    SHA512

    e59da944ba6082da4b377924c6ca25dc19abab8f3421d0872e3a09ac88c823d54bb51e73b5d9054e8b621e47b5094f8dffe97474288743162b08430c04493769

    Download Submit

  • C:\Windows\win.ini
    Filesize

    111B

    MD5

    45fc085b156dff15d5472839a842a650

    SHA1

    70623f377b48c1a5a05866b675008851dc043c3b

    SHA256

    a38c356a0ad92fdfa96d20675c979528ffd39d0449d0965d8a5cb7dca753b718

    SHA512

    5e9b995e76800cbf5c3161d8d8c7fc81698ed90ffe3cf198c13e81b60b547e68493337f938e453cfb363b74e96e6615f8549bb6f1d826d02a62d2e2c992190aa

    Download Submit

  • memory/404-431-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/404-432-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/404-433-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/404-435-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2024-212-0x0000000077841000-0x0000000077961000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2024-214-0x0000000077841000-0x0000000077961000-memory.dmp

    Filesize

    1.1MB

    Download