netwire

Sharing

Copy URL

Twitter E-mail

General

Target

3cc72e9e37f345ef803e18eec5b5e77cc260d8b0aabd934030eb6e47b6e2206d
Size

1.4MB
Sample

240604-zg1s9aag5s
MD5

99b20d88b4431a38c6faa951b45f4269
SHA1

e2ac95c352b96eae7064a3f7eb56725c52391930
SHA256

3cc72e9e37f345ef803e18eec5b5e77cc260d8b0aabd934030eb6e47b6e2206d
SHA512

27a76810a651dd97d37f58d22f296945f0353e0f9a0fd103e60b1d828f0ecd7a209ac09b3eece8550614e0110e1e57424f6447adab4d783531ab461efd1ed4f7
SSDEEP

24576:ru6J3xO0c+JY5UZ+XCHkGso6Fa720W4njUprvVcC1f2o5RRfgdWYa:Fo0c++OCokGs9Fa+rd1f26RNYa

Score

10^/10

Malware Config

Extracted

Family

netwire

Wealthy2019.com.strangled.net:20190

wealthyme.ddns.net:20190

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
sunshineslisa
install_path
%AppData%\Imgburn\Host.exe
keylogger_dir
%AppData%\Logs\Imgburn\
lock_executable
false
offline_keylogger
true
password
sucess
registry_autorun
false
use_mutex
false

Extracted

Family

warzonerat

wealth.warzonedns.com:5202

Targets

- Target
  
  3cc72e9e37f345ef803e18eec5b5e77cc260d8b0aabd934030eb6e47b6e2206d
- Size
  
  1.4MB
- MD5
  
  99b20d88b4431a38c6faa951b45f4269
- SHA1
  
  e2ac95c352b96eae7064a3f7eb56725c52391930
- SHA256
  
  3cc72e9e37f345ef803e18eec5b5e77cc260d8b0aabd934030eb6e47b6e2206d
- SHA512
  
  27a76810a651dd97d37f58d22f296945f0353e0f9a0fd103e60b1d828f0ecd7a209ac09b3eece8550614e0110e1e57424f6447adab4d783531ab461efd1ed4f7
- SSDEEP
  
  24576:ru6J3xO0c+JY5UZ+XCHkGso6Fa720W4njUprvVcC1f2o5RRfgdWYa:Fo0c++OCokGs9Fa+rd1f26RNYa
Score

10^/10

netwire warzonerat botnet infostealer rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

NetWire RAT payload

WarzoneRat, AveMaria

Warzone RAT payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

AutoIT Executable

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2