netwire

Sharing

Copy URL

Twitter E-mail

General

Target

7d674a947b095c8c8c3a3cfa42ffe88a_JaffaCakes118
Size

339KB
Sample

240528-sjpenshh41
MD5

7d674a947b095c8c8c3a3cfa42ffe88a
SHA1

5b6865b9e2c3e2deb11d4582b54f1e55f8ec03cb
SHA256

d618b457c1310790385c4efeb88e8afaa61876e42b17bc329bb148694a4b5a00
SHA512

fcb5903f70c0ed65ccd8a1eb78e72af2df5ba63c14b87f66d352c031fbcba59f0387e6c2e15af4effe6da2fa399399651014b3fe62dab6fe36ca644cce5f40dd
SSDEEP

6144:WPCganNaNG3j+Jx7DwGGuYBpar6n8z/w25BloiGjwoj6IkESqDLsM4REag:kansNGT+JxXwGQ828r/57PIDD7wlg

Score

10^/10

Malware Config

Extracted

Family

netwire

bushuc009.duckdns.org:1982

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
DP
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Targets

- Target
  
  7d674a947b095c8c8c3a3cfa42ffe88a_JaffaCakes118
- Size
  
  339KB
- MD5
  
  7d674a947b095c8c8c3a3cfa42ffe88a
- SHA1
  
  5b6865b9e2c3e2deb11d4582b54f1e55f8ec03cb
- SHA256
  
  d618b457c1310790385c4efeb88e8afaa61876e42b17bc329bb148694a4b5a00
- SHA512
  
  fcb5903f70c0ed65ccd8a1eb78e72af2df5ba63c14b87f66d352c031fbcba59f0387e6c2e15af4effe6da2fa399399651014b3fe62dab6fe36ca644cce5f40dd
- SSDEEP
  
  6144:WPCganNaNG3j+Jx7DwGGuYBpar6n8z/w25BloiGjwoj6IkESqDLsM4REag:kansNGT+JxXwGQ828r/57PIDD7wlg
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Blocklisted process makes network request
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  $APPDATA/sys/Office/36.opends60.dll
- Size
  
  43B
- MD5
  
  3510e1a551a657442115b9e84e0d39c5
- SHA1
  
  e6ec919a91a257701a6e1546c3c30175434b6508
- SHA256
  
  ba56d29628c2ecf5ed376a0aebfd32ce186530338e5ca8f863a224e9d3e5f77e
- SHA512
  
  a872b5d0732eb993b7197593920b69ac073fd1107f3fb42b09e8ef6ec3bea436df7459f17b352c2ba2280c91ea9d1eb80802a874305faed789bc93a82cf4a60b
Score

1^/10
behavioral3 behavioral4
- Target
  
  $APPDATA/sys/Office/51.opends60.dll
- Size
  
  50B
- MD5
  
  81d2e779daf6490730f4ad8a4baa6647
- SHA1
  
  b8458bdd5ae0d00be7f52e1aeba25e260bc43202
- SHA256
  
  15d85f4938b80699821f491e4a98695f8aca58bce9c5868ecc392a2bd48bc408
- SHA512
  
  4513bee7d29cb72eb05a4ca95f86b6112c3af922f3fe29949682052c69f4409fdacd0e01d8d5ce69a55f34b2638e2aa9e6280e8855f235946d3628cc2149c59b
Score

1^/10
behavioral5 behavioral6
- Target
  
  $APPDATA/sys/Office/MicrosoftVisualCVSCodeProvider.dll
- Size
  
  48KB
- MD5
  
  dea1dfbd72e2534ed39c737bfbfcd82d
- SHA1
  
  72ea9b3a4017d0c37d0f5b20e02008ffbc88b79d
- SHA256
  
  d828cda4a89557b24cc2a492cb3f6b09ec69c3ea00d36f5024b58942db9d76ea
- SHA512
  
  254c575fa45b90d58111336600b1df25b33ac246c75b4edf4abc7500e118a66a78a26871af046bcb080fc31e82181a4599e8ff4761cf560fdec7c1c7649ebe16
- SSDEEP
  
  768:ejSqkAVXYRXpXfkPcPMdFwBKmq5aYFRJevf:BqkAKfkkPMdmBKm2aygn
Score

1^/10
behavioral7 behavioral8
- Target
  
  $APPDATA/sys/Office/RapiConfig.exe
- Size
  
  48KB
- MD5
  
  f02fa25ace36dcfc491ee7f41997c11e
- SHA1
  
  2af5c48e738d8ba41a85813b72d33d6ffeae7250
- SHA256
  
  d34f198cc02a555f0519879c9b85bb23ca0b915cb7fda8d2351e94feea8f6a14
- SHA512
  
  8ee7d4fdf0ef63b68da7e623bcc5bc05095b539ee182de8a8323b052ffd449ea47122b23120bd06de1eaad5dcab5ee930bbf7611640aa7d97b13586cc4fa7f81
- SSDEEP
  
  768:kxxFjj8bk0Du+5wxA2MHt5fpPPOaoav6E0d:KFjjtqw6bHt5R9olE0d
Score

1^/10
behavioral10 behavioral9
- Target
  
  $APPDATA/sys/Office/clstencilui.dll
- Size
  
  4KB
- MD5
  
  6790a7cc406efdb00e4fc418e15029e5
- SHA1
  
  fe536f2dda753f9d025938fcd69757a0029544db
- SHA256
  
  52599b570e6b89beb84a79bcc7fb8b5f90d90653623ea5c17082babe6af90fce
- SHA512
  
  bf48e140a9c2e17bb5fb5028d69ebc130b2f5bbeedb71f722191db3329f8ce9ce551500aca181bc392c2a8e02941068c217d8fbeaf5c3cecd851c214568e7a6c
- SSDEEP
  
  96:gvLkWGNfeWPygGNLnJvjMgGv0gIxQy0lNn:3WGNfeWaLNLh0vLlN
Score

1^/10
behavioral11 behavioral12
- Target
  
  $APPDATA/sys/Office/sbsmscordbi.dll
- Size
  
  5KB
- MD5
  
  6990ed64de8a5f23479dfd05f1de0cdd
- SHA1
  
  8fd707e26d7214a5c551be9bc3473395f7649941
- SHA256
  
  655acb02d6237813a5b2affc39f599d2467dbf4b565924c2b9673f07380c6f59
- SHA512
  
  46ac17c268e85a048865d3742d91146ef9b12f5bd62bf5a40633e8836dce0551b12109f2e39537e8eac53826640d77b70574dc5adf3bc0c1d0541fc48aa30e5d
- SSDEEP
  
  48:C0ytDmxM83ljSffOuE4PYrR18gFN3oTNFlIuvUtZWNHWHlx+IBSy7F5WWrn5j:7ytDin2mu7gJpONd6Wt0b+IBp7jWu
Score

1^/10
behavioral13 behavioral14
- Target
  
  $APPDATA/test/formsend/27.opends60.dll
- Size
  
  47B
- MD5
  
  fc293570ce52f92ce01761d34bfed0f7
- SHA1
  
  c0840e7d89cf250706fcf7824823b74ada9f8a1a
- SHA256
  
  cb0505a4fdc0f12f10db7fcfd8a4fa837ef7874175e8992c822753e619503fc5
- SHA512
  
  f34c145d1aa2474d30dc6425aacf0d36d0d500d71815fcd79f25100c5a4e46d0bf2aa10720ca1145f1e1f809112f2c65b28d429b882f217e5853f01081179173
Score

1^/10
behavioral15 behavioral16
- Target
  
  $APPDATA/test/formsend/46.opends60.dll
- Size
  
  50B
- MD5
  
  be4f18116a0e9b6e9b1bbd5a8c658dc2
- SHA1
  
  d19f30f07391718bc15931fd142f9a23f7fad881
- SHA256
  
  48bfba37c5947eb3f651f27f526c5ed9d39b9096712556bd42269e852f826025
- SHA512
  
  545d7ef958cac2b91c2fa80f0f49c09e8795d397b264c5f73a5dd0a1c0c07c4083872e70af1235d325e1790c1d4b88ba7944d4b97923bff69a5420b5b276fcb4
Score

1^/10
behavioral17 behavioral18
- Target
  
  $APPDATA/test/formsend/u25dts.dll
- Size
  
  20KB
- MD5
  
  c2078ef235a007b4a7c033edab99581f
- SHA1
  
  99428a7f1a5e55a33f4dabcf496f5934d15e78ca
- SHA256
  
  6defe31cfa060451248fb8c5211a9e6ed8fb8ebf9efb0a0e53df3d78641dea5e
- SHA512
  
  480d3c896eb39a3236c9cea15af71299fe721579bbc6cd3897169cf76f90c6aae7153ef97aaec4f6a54e2b9c10343fc6f80170d62c53af0649d788fd92277e78
- SSDEEP
  
  384:ZSvZAWSUwp/q/tD18QykVj8YrfaLCcY9jBJJWs:ZSuWA+xHykVtraL38TJWs
Score

1^/10
behavioral19 behavioral20
- Target
  
  $APPDATA/test/formsend/vcbuild.dll
- Size
  
  11KB
- MD5
  
  1b84d7e16763d4686874c20e07437bec
- SHA1
  
  9d3088e977c5b6a322bdeb538487a73887fbcc0e
- SHA256
  
  a020d37724b738aab3c295917b6a23f8de45449177615a88e7c93627de424280
- SHA512
  
  4f9715ed1d8473c884965688dc9e4c06d53143240909c096ef340ed3e4ddf157331b0417fcb334a5c8b2b7c25b609f21262d8f3863567e3cbb4e05a3396f4821
- SSDEEP
  
  192:IIeYBmMNCZ2LjRj23/pv6u5TN3XSGMKS6vrkrbAVuWDxpBSWNLft5AgI/:LNBma2GjR23/IuToKS68nWD0WlftpW
Score

1^/10
behavioral21 behavioral22
- Target
  
  $TEMP/RhetorEnthymeme.dll
- Size
  
  40KB
- MD5
  
  d4e93d543311e967769bf26b2e72f1ec
- SHA1
  
  36cb67efe0fe2ea4afec3915c1aadd7eb11797ee
- SHA256
  
  d96f793cfde6ba3656d177e35007bc316725d70fdb81fb2d7234053a8dbf7d47
- SHA512
  
  a2de0bec4c060f92bd73737c4582cc3530408ca294db5c1b414706fc9822bbb008f63be3b78751d3048dc16fd55de4876241510eb38d22131577162990c03784
- SSDEEP
  
  768:9kXnd3E/VEhxuGkZh8PGnTEDL3vyT12wfu/:9kXdUOXat1T1rfu
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Blocklisted process makes network request
behavioral23 behavioral24
- Target
  
  $TEMP/idbc/form/41.opends60.dll
- Size
  
  42B
- MD5
  
  73236985ff3c5345a28ab783c574536e
- SHA1
  
  c0a7e93cae1682dc8f9b13b406d0df885e04ede0
- SHA256
  
  879a60d28d86c2bec56fcb54fddfa6c44ff5635e9df23fcd4c8d2afa98cc498b
- SHA512
  
  3ce299799b89706ac1091df50d624e5988ab2be1ffe62e712e3378957b9a9c5c27db17a7d1da4ab44dc3250199da6cb5b1ab595291f907fdb364a366206403c3
Score

1^/10
behavioral25 behavioral26
- Target
  
  $TEMP/lg/fun/Links/crtowordsit.dll
- Size
  
  18KB
- MD5
  
  5e1f8c9a977a745493e8b8bebb2a676d
- SHA1
  
  870d420a553e5b91601d6a39cad33e98751d5816
- SHA256
  
  14068930efce35318db559e951978a4da2b24479080f16af99bd206a8a432961
- SHA512
  
  e3e38401bf3e2900ad8be245528fae1da9a4eaf40df83f87e2d0a9a08167601467daf3fd489a3b5bcd1186fe8ea318f9bce92e9361a00b859a3ae46e467b83fa
- SSDEEP
  
  192:ZnPcXAAAVCfPl3p6aU62SK3Xz7Yg4j1LfdAL/CldolMvMjGwPyMojT+KzVMiDM5R:iAAft3aVjvg1LuLCcY9jBJJK
Score

1^/10
behavioral27 behavioral28
- Target
  
  $TEMP/trailer/CMAccept.exe
- Size
  
  20KB
- MD5
  
  ce9ec29c6b19dced820e0f2eea7c5237
- SHA1
  
  5ab22cf17095bc0d3ba18e753654cff4edfd0dab
- SHA256
  
  980a535ef48369fa83fe881e232c3f12ea34c93b06178b53ee441a73d54d7f02
- SHA512
  
  b6bae95f663e0fd9e3facd64719b650244d48b4afdb630ec8429654799200bbfc056f37c8ff506fb07c3c7e9f698447475e73ea852c4d0ca71167c17aa21c35f
- SSDEEP
  
  384:1z6qvCuzu45cE/lViXtz9bp3WNNW1Y1stEy1:1z6CzRNQh9bpKIEc
Score

1^/10
behavioral29 behavioral30
- Target
  
  $TEMP/trailer/SoapSudsCode.dll
- Size
  
  12KB
- MD5
  
  5edcc6ee883be2350317116a22002d3a
- SHA1
  
  fe69e48b4b67fb4c02b987387e8e567492b4d992
- SHA256
  
  6b7d09c8698c90846dbd325fe7ae35d4ac48ce86e0d7dd4455481b532400de52
- SHA512
  
  8f558161f54dad0b7a9868d8493bf2860c7e7c03a524adee240b3a1a2d01caab7f09da186735ea3b7e0ca8515a298a8634b9c2d16ade3d21ca6835c984536fb6
- SSDEEP
  
  192:VUN8oYhY/IlEKXf6ExZ2Yn44IpPUKJJk746NpdxCA4Fkj7lWhvNnZW/:VuhiEKXf6yZ2oEJs4WUFOlWhlnZW
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

NetWire RAT payload

Blocklisted process makes network request

Loads dropped DLL

NetWire RAT payload

Netwire

Blocklisted process makes network request

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32