Analysis
-
max time kernel
1s -
max time network
133s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
20/04/2025, 01:09
Static task
static1
Behavioral task
behavioral1
Sample
2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe
Resource
win10v2004-20250314-en
General
-
Target
2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe
-
Size
22.0MB
-
MD5
2a26ed689a49e2b3cfd71901147f8303
-
SHA1
d49d9e9e8b0e10a4429a64dde1a0974bc414c819
-
SHA256
00bdd3b2ccc6b339809704a8b12920327b76e6cdd9d0d1beddc38155a4532579
-
SHA512
9dfd5314841394af05efbd2d8d995bea3921f83971472168a7bd0c789c94f95932fb117052caa8641ac902e1d942503edccb5536463a7fd65e8bdcb17d62e294
-
SSDEEP
393216:XA/VQ0ppRcqLGEx1HEApai9u+5Snh5NQluiffTIS:XNYR8I2AblM5qgifUS
Malware Config
Extracted
netwire
victoire.dyndns.biz:3650
maelus.mine.nu:3650
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
power
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
0000
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 6 IoCs
resource yara_rule behavioral2/memory/2708-141-0x0000000000400000-0x0000000000425000-memory.dmp netwire behavioral2/memory/2708-139-0x0000000000400000-0x0000000000425000-memory.dmp netwire behavioral2/memory/3516-134-0x0000000000400000-0x0000000000425000-memory.dmp netwire behavioral2/memory/3516-132-0x0000000000400000-0x0000000000425000-memory.dmp netwire behavioral2/memory/876-130-0x0000000000400000-0x0000000000425000-memory.dmp netwire behavioral2/memory/876-128-0x0000000000400000-0x0000000000425000-memory.dmp netwire -
Netwire family
-
Executes dropped EXE 3 IoCs
pid Process 1468 WinDriversQt.exe 1300 ROJid3crwtijBOi.exe 4192 YrtbHB5Gfq2BVO9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinDriversQt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ROJid3crwtijBOi.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x000a00000002a816-52.dat nsis_installer_1 behavioral2/files/0x000a00000002a816-52.dat nsis_installer_2 -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4808 schtasks.exe 4512 schtasks.exe 340 schtasks.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1468 WinDriversQt.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4896 wrote to memory of 1468 4896 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 78 PID 4896 wrote to memory of 1468 4896 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 78 PID 4896 wrote to memory of 1468 4896 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 78 PID 4896 wrote to memory of 1300 4896 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 82 PID 4896 wrote to memory of 1300 4896 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 82 PID 4896 wrote to memory of 1300 4896 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 82 PID 1468 wrote to memory of 4876 1468 WinDriversQt.exe 84 PID 1468 wrote to memory of 4876 1468 WinDriversQt.exe 84 PID 4896 wrote to memory of 4192 4896 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 83 PID 4896 wrote to memory of 4192 4896 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 83 PID 4896 wrote to memory of 4192 4896 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Roaming\WinDriversQt.exe"C:\Users\Admin\AppData\Roaming\WinDriversQt.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B14E.tmp\B14F.tmp\B150.bat C:\Users\Admin\AppData\Roaming\WinDriversQt.exe"3⤵PID:4876
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f4⤵PID:1916
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f4⤵PID:3540
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f4⤵PID:896
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f4⤵PID:4540
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f4⤵PID:4992
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f4⤵PID:2892
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f4⤵PID:2836
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f4⤵PID:3344
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f4⤵PID:784
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f4⤵PID:3808
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f4⤵PID:2328
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f4⤵PID:4168
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f4⤵PID:2468
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵PID:3888
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵PID:2124
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable4⤵PID:2716
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable4⤵PID:1040
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable4⤵PID:3048
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable4⤵PID:5024
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable4⤵PID:1396
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f4⤵PID:3016
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f4⤵PID:1096
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f4⤵PID:1472
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f4⤵PID:992
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f4⤵PID:3692
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:1196
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:1336
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:3236
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:2116
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:2840
-
-
-
-
C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe"C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1300 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DiFGHpZsWh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F0E.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:4808
-
-
C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe"{path}"3⤵PID:2972
-
-
C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe"{path}"3⤵PID:4604
-
-
C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe"{path}"3⤵PID:2708
-
-
-
C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe"C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe"2⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SDgtKxxeaGYFg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F10.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:4512
-
-
C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe"{path}"3⤵PID:876
-
-
-
C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe"C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe"2⤵PID:3368
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yBrhLIdmRX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F0F.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:340
-
-
C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe"{path}"3⤵PID:3516
-
-
-
C:\Users\Admin\AppData\Roaming\nb662-full.exe"C:\Users\Admin\AppData\Roaming\nb662-full.exe"2⤵PID:3264
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5665f21a9b6730aa08e62473e481b8c55
SHA1717d52e75ac16bf032299828dd61c86af281eb43
SHA256dcaba420b47b5527bd3761ae8a2b76bbbf387100613b7c2f256cfe9ec58fb579
SHA512b3c6fe2555613f4f7b30ba434e94421c397008a999ff5c07b5df349c550ef6b4d2a8b831208ad3bb25998bf9d2fe0dbb86414ef23ef9216211ab96373d9b6f1e
-
Filesize
1KB
MD521533b9e9b48512d41f4766286d9f54c
SHA1df97ece7c973ebbbf8a10b5ca60aac70e6359540
SHA256d8c83f60e0b10b9a681336aa2c6776038c9d3f1ca2454e5bb7798a5bdbca4971
SHA51240327c0b570c039df00d9bbe7d0fd7c8cf8e7376d3b637545b687aa1c53e23e88d8673a9a1ab50e9dbc59ff31921abc3e45de55063c6f5c5af3d2c9b2a9f9d44
-
Filesize
14KB
MD52a03c4a7ac5ee5e0e0a683949f70971b
SHA13bd9877caaea4804c0400420494ad1143179dcec
SHA256d4f0042d8e7622b7e14395e926dd02edab3cdc77e82d88108b67a4d2cee9229b
SHA5121942cdb522859f8dba46824786e361794a62e6201279201e1e0e2e07499fb6252933c5661782fccd77291c3650cafb2a7a08eee5431c8238f0da44840ee4c476
-
Filesize
5KB
MD5ebd0da54db9f12ffd15206cc24355793
SHA1910be3bebdde55eb1ce05915a79f01ebdc622786
SHA2564066a0cbd9f6bb13c0f6fb064d4647ef7bc68a1be3d0caa4460b5ffd9ed1e0e6
SHA512cee09db96267b1a30477ff074988606bdf35f9a5aa798a9a10029b11c0c347ab42a124320d777acde458828954cc8cf1a489b1673b31d589cdc4f50d4b86659d
-
Filesize
11KB
MD56f5257c0b8c0ef4d440f4f4fce85fb1b
SHA1b6ac111dfb0d1fc75ad09c56bde7830232395785
SHA256b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
SHA512a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8
-
Filesize
14KB
MD54814167aa1c7ec892e84907094646faa
SHA1a57a5ecbdfa9a8777a3c587f1acb02b783afc5ee
SHA25632dd7269abf5a0e5db888e307d9df313e87cef4f1b597965a9d8e00934658822
SHA512fb1f35e393997ecd2301f371892b59574ee6b666095c3a435336160481f6ef7ed5635c90ce5d2cf88e5ef4a5affb46cb841b7d17e7981bd6e998531193f5d067
-
Filesize
4KB
MD58ef0e4eb7c89cdd2b552de746f5e2a53
SHA1820f681e7cec409a02b194a487d1c8af1038acf0
SHA25641293b9f6588e0fbdc8fcf2a9bd8e2b244cd5ff038fc13033378da337219c9dc
SHA512a68533e8a19637d0d44219549b24baba0dc4824424842f125600fda3edcafc4bb6bb340d57a00815f262d82373b440d58d6e4e5b2ceb29bb3f6bc4cbde66c3c5
-
Filesize
4KB
MD5d25102051b33f61c9f7fb564a4556219
SHA1c683964c11d5175171bd009cb08f87592c923f85
SHA256e58e5d1d8da2ea526d0d754b4faad3773021166b0720723efb7b30f1f5075398
SHA5128828eec31926251d7e51b5bf1050c3519c9b7fca4f978fb6ee0bf18f9642c3460687f10ff79e5892100ecadbf49725711567c348e1dfccb3644bd9ef992a92f0
-
Filesize
9KB
MD5d9256d9acaecabb20b7e9a1595abfa36
SHA1ece1cab181dac7729246da1d4494b8daa10c3b70
SHA256d7b2c55977a541f8d075e48d4e0a82eec79ad247b0ed168c19a8518131acd19c
SHA5125827cdbfde0e766d1b74ecb22f9614232031da41c21d0f6ff6c9d5dcdfc0adc23e8fd616eb020ab42208932444b5e0cb1e6d6e698bead412eae19624a180b6ff
-
Filesize
1KB
MD599757558dcf54d4ef129f8ce06ab0abc
SHA187a512fd9f09a5333b7edbfbc4525ece25f457f3
SHA25609629e136aa57495f07732c5cd5e3e04eb9244e2b16d8d6478bc7153a7ae3fd8
SHA512bf7240d5369b09789a768f8653c6c0ec49b2d3bbc2548b00f0476fa0ce4b33ad3b262e849ee03e25f73202069fd3eea74f13c1f5e8110e206d896ac8bafefdf3
-
Filesize
1KB
MD5208344347dd6b0c54f85e66f6aa78480
SHA1b72f81b8ad0f85e752a57a053eb21a05aadb822c
SHA256347401de3cfacbbbc16d84ae0f9bdab13166e1ea0abd554fe158a025d18c7613
SHA5122295c8fba889be0bdd155e30716d3b254642453291bcc74d6c50b663b052a2a86e369977342c3975700b0de0c3de7f956b8364812f47bc0966f5e35d3ca14906
-
Filesize
1KB
MD56505475046c7ce0540dc2625534a035b
SHA11c7cfd290c88c9876b4a2230bfb15981f53d11fe
SHA2562dc1c2039d706fb941b02f5854e2c3b9453d1910c9d4e90470cd6289ef35c8e5
SHA5123ab4e6e39b6cb2a5ec7f4192c185fffa35f1db827ce6fb41f0764e957c8bc931bc9c9e18267aac9a3f464eff120c2086442c61cf827e8e9504b48fa96693374c
-
Filesize
1.2MB
MD59de85017f17de5b5872d27c4f66ca576
SHA1abb2c3c99e58e498241f3c5b149821b79dbd1f21
SHA2560771ac3786c447e25abdbbfd18f67b5c25405a4266add5a227c1d69ff5048ce0
SHA5121265ab52ae96a97372316e2c0f1e8d648d0de7721d80a48340fb991038b6ffba640602d8592cffaa614db9b4f844b69e1d2988049a117631fe755d55759310e5
-
Filesize
91KB
MD5279205de551b3053fc8b973150577120
SHA18a78379b3af83ac4f2b1b07b7f968e2db7d1ea0b
SHA2561d4070b3c282670191d1c5236ccad902e44e33a4d3211488eb52cd4e5223b159
SHA51229664cb6ff47e5b0016076f7a3c248ed1deb90150669a4cc7357b7a190bd348372f551a652f92c459190ad479ed646cb7be465c389d039d74c5acb3eb254487b
-
Filesize
1.2MB
MD56c18cac0ed1782d322f237f060c4f07d
SHA1fee4ecc2fc6c2189a81486bfa2d1a8a182100671
SHA2566443b61c3f5404dbcd4538e7636a9b1d4b6e5b07f38d95fd9a7794f7f30934e2
SHA512693d607ee51aec95d070fdc52f9ceb6716b6d36cb89184b67394cdca53c4afa9ca8bff761d39cf4290cf24ceaf5542f1868c029ed56341e92f46b9553c8899d9
-
Filesize
1.2MB
MD5a5cc020492b0db504a7df2dbfed86cd1
SHA111fb92cd5b25dfd3a02220286f49d426b3f9d003
SHA256e98a538725d3864aff69872345f950c572d4b4b727e7c916c0de37e813dbc03d
SHA512ac69d9d6d0bc8cd632356b0c9bbc6eac6a91f6ab3ff7b3d1cbcdd5ff86cb0414643e251d2e6893afd614336c056914a815c2114b0fbc685f4a2fa780af1b0115
-
Filesize
12.2MB
MD52ea0aa5b989197690e73372dc23ae796
SHA1497d114039585271b89fe954cea473fe32f33772
SHA25616c723380e74451ae1e7ca45c4abbc4773d4da194f92817d72ffaaa3da5f66f4
SHA51220ce64434a4cb0a806216e2647d67167a0c953e23d9ac2f8cfb80bf2c4638271d861463c802af156621a28a5c5d78e1b15c616b2e9ee2189bffeff5f7d25541d