Malware Analysis Report

2025-04-03 09:53

Sample ID 250312-hp6k2aswfs
Target e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96
SHA256 e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96
Tags
netwire botnet discovery rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96

Threat Level: Known bad

The file e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96 was found to be: Known bad.

Malicious Activity Summary

netwire botnet discovery rat stealer

NetWire RAT payload

Netwire family

Netwire

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-12 06:55

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-12 06:55

Reported

2025-03-12 06:58

Platform

win10v2004-20250217-en

Max time kernel

90s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Netwire family

netwire

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\aliyunssl\run.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\aliyunssl\run.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\aliyunssl\run.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe

"C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe"

C:\Users\Admin\AppData\Local\aliyunssl\run.exe

"C:\Users\Admin\AppData\Local\\aliyunssl\run.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 s3awscloud.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 s3awscloud.com udp

Files

C:\Users\Admin\AppData\Local\aliyunssl\run.exe

MD5 3aaf53b44ff6dff13d94890c821bb11d
SHA1 86555030855bb4aa5a92bcc1887b60943f430457
SHA256 09c47ba1ad13aa82404753ef69fb573a1804be31dca825acfc9ad25de2bc4274
SHA512 5027ec4960d4b5d7f599a1001b1471dfb24f1a644c244ee91db6a54f5c1a63c5faf64b7a217c9757da9a9adea204a27707aed15ad60bb39819ff54ebd8053282

C:\Users\Admin\AppData\Local\aliyunssl\artists.dll

MD5 83b9716b1680484d224f2f20150670bd
SHA1 f993e8bfb9a68c7c227b223c37427ab11ebb7155
SHA256 091cf05e363b1e0621e50b20797bf816742dc07f422d23ab5443be223d1d2581
SHA512 4ab0a94a3decc8ade7921cb85b80ab3b44655fa2de56df17a20bdbfa0bc88c24d80b35397d4c6c191bffd4938cacc36107c1049f862940b88f36280f70ddf192

C:\Users\Admin\AppData\Local\aliyunssl\qasgh.enc

MD5 ee78aded588b826f57366b4b2923189a
SHA1 25d77080b22e6f05a5b77c5cf723dde6e03f7066
SHA256 d6a6b99ec598d04f5e70aad4f31cce80f6ebea4e2877fe4a84c4f382a4f135a9
SHA512 189e971061cbe73c3f0ab3e8ff8ca4a38c1274f280a3c889d72f986c982d7270ed50a034d30f7577500631cd4f22e89a39c648a19b4655148d746eb57853144f

memory/4780-24-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4780-39-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-12 06:55

Reported

2025-03-12 06:58

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe"

Signatures

Netwire

botnet stealer netwire

Netwire family

netwire

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\aliyunssl\run.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\aliyunssl\run.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe

"C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe"

C:\Users\Admin\AppData\Local\aliyunssl\run.exe

"C:\Users\Admin\AppData\Local\\aliyunssl\run.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 s3awscloud.com udp

Files

\Users\Admin\AppData\Local\aliyunssl\run.exe

MD5 3aaf53b44ff6dff13d94890c821bb11d
SHA1 86555030855bb4aa5a92bcc1887b60943f430457
SHA256 09c47ba1ad13aa82404753ef69fb573a1804be31dca825acfc9ad25de2bc4274
SHA512 5027ec4960d4b5d7f599a1001b1471dfb24f1a644c244ee91db6a54f5c1a63c5faf64b7a217c9757da9a9adea204a27707aed15ad60bb39819ff54ebd8053282

\Users\Admin\AppData\Local\aliyunssl\artists.dll

MD5 83b9716b1680484d224f2f20150670bd
SHA1 f993e8bfb9a68c7c227b223c37427ab11ebb7155
SHA256 091cf05e363b1e0621e50b20797bf816742dc07f422d23ab5443be223d1d2581
SHA512 4ab0a94a3decc8ade7921cb85b80ab3b44655fa2de56df17a20bdbfa0bc88c24d80b35397d4c6c191bffd4938cacc36107c1049f862940b88f36280f70ddf192

C:\Users\Admin\AppData\Local\aliyunssl\qasgh.enc

MD5 ee78aded588b826f57366b4b2923189a
SHA1 25d77080b22e6f05a5b77c5cf723dde6e03f7066
SHA256 d6a6b99ec598d04f5e70aad4f31cce80f6ebea4e2877fe4a84c4f382a4f135a9
SHA512 189e971061cbe73c3f0ab3e8ff8ca4a38c1274f280a3c889d72f986c982d7270ed50a034d30f7577500631cd4f22e89a39c648a19b4655148d746eb57853144f