netwire | 514e28bcbebe384b8fb709dcce50863dfffecebfa6b103b2008c60f58fb4bddc | Triage

Submit
Reports

Overview

overview

Static

static

3

992df14edd...18.exe

windows7-x64

992df14edd...18.exe

windows10-2004-x64

Sharing

General

Target

992df14edd25e8988a892d95293c54bb_JaffaCakes118
Size

489KB
Sample

240605-zcg6cahf95
MD5

992df14edd25e8988a892d95293c54bb
SHA1

b064c32b71e598b65cb199e955c489777b0c9f8a
SHA256

514e28bcbebe384b8fb709dcce50863dfffecebfa6b103b2008c60f58fb4bddc
SHA512

14bfa5e14f93ca1320b2bec29e57f4d8a3a940e0b225d9f6074192712eb098932ea6deab626bc3b150eff02549354ad29804ac5357af722d2b20ea189468b4f9
SSDEEP

12288:ZRl+2QMSc+ZqLOz7dKFHeSJ7zdGsPpv2NwdA:uZjKNeSJ7zdGshk

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

992df14edd25e8988a892d95293c54bb_JaffaCakes118.exe

Resource

win7-20240508-en

netwire botnet persistence rat stealer

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

992df14edd25e8988a892d95293c54bb_JaffaCakes118.exe

Resource

win10v2004-20240508-en

netwire botnet persistence rat stealer

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

fdghfghdfghjhgjkgfgjh234569.ru:6973

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
a2nw
lock_executable
false
mutex
MRKRwsXI
offline_keylogger
false
password
rdfs34df32sdf
registry_autorun
false
use_mutex
true

Targets

- Target
  
  992df14edd25e8988a892d95293c54bb_JaffaCakes118
- Size
  
  489KB
- MD5
  
  992df14edd25e8988a892d95293c54bb
- SHA1
  
  b064c32b71e598b65cb199e955c489777b0c9f8a
- SHA256
  
  514e28bcbebe384b8fb709dcce50863dfffecebfa6b103b2008c60f58fb4bddc
- SHA512
  
  14bfa5e14f93ca1320b2bec29e57f4d8a3a940e0b225d9f6074192712eb098932ea6deab626bc3b150eff02549354ad29804ac5357af722d2b20ea189468b4f9
- SSDEEP
  
  12288:ZRl+2QMSc+ZqLOz7dKFHeSJ7zdGsPpv2NwdA:uZjKNeSJ7zdGshk
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy