netwire | b23e4ec41a7eaacf693fc9f0651c514720b0ba28773c85aa6b8aa682a42c3a23 | Triage

Submit
Reports

Overview

overview

Static

static

1

a97e85a405...18.exe

windows7-x64

a97e85a405...18.exe

windows10-2004-x64

Sharing

General

Target

a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118
Size

273KB
Sample

240614-nvmm1ashkn
MD5

a97e85a40509f6bbc7427edf6a1db4c8
SHA1

f3e0bd2597e0d1f819337808dee52babc70f16f5
SHA256

b23e4ec41a7eaacf693fc9f0651c514720b0ba28773c85aa6b8aa682a42c3a23
SHA512

5f1559c5fa0f6f4fb378b28ed82e00ef6e64f635f91ed78e8acb683c550b2a9cb19e30ed7aaa9563cde8d804444dc5834cd7f953b2e60fafc775c0a5bd11dbaa
SSDEEP

6144:Q5NT96qD0nnPSe/NZ+CVtZsStyK7sSVR0ICW0SEMUSdGg1MRafm1QhO:U96q4nnPSeDtySo251MRafm1QU

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe

Resource

win7-20240221-en

netwire botnet persistence rat stealer

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe

Resource

win10v2004-20240611-en

netwire botnet rat stealer

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

46.20.33.82:3444

62.102.148.181:57980

46.165.208.108:3490

213.152.162.99:3829

109.163.226.153:3829

95.211.229.148:3939

31.171.155.48:3444

Attributes

activex_autorun
true
activex_key
{37BX32U8-4XG6-J37R-187I-4S4T4FD58C07}
copy_executable
true
delete_original
true
host_id
~PUMP~%Rand%
install_path
%AppData%\Microsoft\HKRUN.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
fUpgdpBV
offline_keylogger
true
password
123456
registry_autorun
true
startup_name
Microsoft
use_mutex
true

Targets

- Target
  
  a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118
- Size
  
  273KB
- MD5
  
  a97e85a40509f6bbc7427edf6a1db4c8
- SHA1
  
  f3e0bd2597e0d1f819337808dee52babc70f16f5
- SHA256
  
  b23e4ec41a7eaacf693fc9f0651c514720b0ba28773c85aa6b8aa682a42c3a23
- SHA512
  
  5f1559c5fa0f6f4fb378b28ed82e00ef6e64f635f91ed78e8acb683c550b2a9cb19e30ed7aaa9563cde8d804444dc5834cd7f953b2e60fafc775c0a5bd11dbaa
- SSDEEP
  
  6144:Q5NT96qD0nnPSe/NZ+CVtZsStyK7sSVR0ICW0SEMUSdGg1MRafm1QhO:U96q4nnPSeDtySo251MRafm1QU
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Modifies Installed Components in the registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetratstealer

© 2018-2024

Terms | Privacy