netwire

Sharing

Copy URL

Twitter E-mail

General

Target

8fb7ba35ba5fb5f59a4c6eb8edd8aef3d45492898640dee3488fbb8880d0bc56
Size

1.3MB
Sample

240528-3vdseshe6x
MD5

9d891a8f4f11245ccd5c4fa5f51b0f14
SHA1

e970b504704bfdb452a287e5e16734dd516fbcde
SHA256

8fb7ba35ba5fb5f59a4c6eb8edd8aef3d45492898640dee3488fbb8880d0bc56
SHA512

5a7c4602b09bb0c9ccc0dea3f637c266a9559c7d6d169899c6f610def0acd8b3486007074ccf6ed4a945928509d589811c1c581bfb4270fc0e67c8514f7e01e8
SSDEEP

24576:Ku6J33O0c+JY5UZ+XC0kGso6Fa720W4njUprvVcC1f2o5RRfgUWYZ:8u0c++OCvkGs9Fa+rd1f26RaYZ

Score

10^/10

Malware Config

Extracted

Family

netwire

Wealthy2019.com.strangled.net:20190

wealthyme.ddns.net:20190

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
sunshineslisa
install_path
%AppData%\Imgburn\Host.exe
keylogger_dir
%AppData%\Logs\Imgburn\
lock_executable
false
offline_keylogger
true
password
sucess
registry_autorun
false
use_mutex
false

Extracted

Family

warzonerat

wealth.warzonedns.com:5202

Targets

- Target
  
  8fb7ba35ba5fb5f59a4c6eb8edd8aef3d45492898640dee3488fbb8880d0bc56
- Size
  
  1.3MB
- MD5
  
  9d891a8f4f11245ccd5c4fa5f51b0f14
- SHA1
  
  e970b504704bfdb452a287e5e16734dd516fbcde
- SHA256
  
  8fb7ba35ba5fb5f59a4c6eb8edd8aef3d45492898640dee3488fbb8880d0bc56
- SHA512
  
  5a7c4602b09bb0c9ccc0dea3f637c266a9559c7d6d169899c6f610def0acd8b3486007074ccf6ed4a945928509d589811c1c581bfb4270fc0e67c8514f7e01e8
- SSDEEP
  
  24576:Ku6J33O0c+JY5UZ+XC0kGso6Fa720W4njUprvVcC1f2o5RRfgUWYZ:8u0c++OCvkGs9Fa+rd1f26RaYZ
Score

10^/10

netwire warzonerat botnet infostealer rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

NetWire RAT payload

WarzoneRat, AveMaria

Warzone RAT payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

AutoIT Executable

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2