Overview

overview

10

Static

static

1

e6ccbe41f2...96.exe

windows7-x64

10

e6ccbe41f2...96.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/03/2025, 06:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe

  • Size

    1.0MB

  • MD5

    d02530f3b97431f4ccb75d4fbedcf106

  • SHA1

    5825dd6577ca148476f6e68987915206d44d82c4

  • SHA256

    e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96

  • SHA512

    023377cd5ad6afbfd5631ce29c676fef694daf088a0b44b6d3a165db18c843595cf8bf8c0798d5408c6b374f97b0ad96a97ae9ef738493456bd245f391c4bc8b

  • SSDEEP

    24576:46T8Ujl6vO01C1GCTsYoQZtlsZdc40QDrUYuGG1ihTGTTi0CnGkz4mvrgEJLW:eTUwTGTTglz4mvUt

Score
10/10
netwirebotnetdiscoveryratstealer

Malware Config

Extracted

Family

netwire

C2

s3awscloud.com:8080

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\sLogs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    mrx325hydra11

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 2 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Netwire family
    netwire
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe
    "C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3612
    • C:\Users\Admin\AppData\Local\aliyunssl\run.exe
      "C:\Users\Admin\AppData\Local\\aliyunssl\run.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1276

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\aliyunssl\artists.dll
    Filesize

    229KB

    MD5

    83b9716b1680484d224f2f20150670bd

    SHA1

    f993e8bfb9a68c7c227b223c37427ab11ebb7155

    SHA256

    091cf05e363b1e0621e50b20797bf816742dc07f422d23ab5443be223d1d2581

    SHA512

    4ab0a94a3decc8ade7921cb85b80ab3b44655fa2de56df17a20bdbfa0bc88c24d80b35397d4c6c191bffd4938cacc36107c1049f862940b88f36280f70ddf192

    Download Submit

  • C:\Users\Admin\AppData\Local\aliyunssl\qasgh.enc
    Filesize

    160KB

    MD5

    ee78aded588b826f57366b4b2923189a

    SHA1

    25d77080b22e6f05a5b77c5cf723dde6e03f7066

    SHA256

    d6a6b99ec598d04f5e70aad4f31cce80f6ebea4e2877fe4a84c4f382a4f135a9

    SHA512

    189e971061cbe73c3f0ab3e8ff8ca4a38c1274f280a3c889d72f986c982d7270ed50a034d30f7577500631cd4f22e89a39c648a19b4655148d746eb57853144f

    Download Submit

  • C:\Users\Admin\AppData\Local\aliyunssl\run.exe
    Filesize

    81KB

    MD5

    3aaf53b44ff6dff13d94890c821bb11d

    SHA1

    86555030855bb4aa5a92bcc1887b60943f430457

    SHA256

    09c47ba1ad13aa82404753ef69fb573a1804be31dca825acfc9ad25de2bc4274

    SHA512

    5027ec4960d4b5d7f599a1001b1471dfb24f1a644c244ee91db6a54f5c1a63c5faf64b7a217c9757da9a9adea204a27707aed15ad60bb39819ff54ebd8053282

    Download Submit

  • memory/1276-24-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1276-39-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download