netwire | 3994471e828d2d7e89e3c7c07ef01662173333700ac9dc14461b3e418cb75db7 | Triage

Submit
Reports

Overview

overview

Static

static

New-Order ...h.xlsx

windows7_x64

New-Order ...h.xlsx

windows10_x64

1

Sharing

General

Target

New-Order December-15th.xlsx
Size

2.3MB
Sample

201215-6y9fpc37ea
MD5

e03ed5e77e5800540f0448a8318eaf34
SHA1

56af39d425961607df89dabb30480038828701c0
SHA256

3994471e828d2d7e89e3c7c07ef01662173333700ac9dc14461b3e418cb75db7
SHA512

4d26a232dd177a2670fc4272823d7de3feb30e06d9970b331c02e1b299df5dca7811e4ccae707cb4b5018d8b08af70ca2b265fe1fde5a0650ebb9e54ae01eb76

Score

10^/10

netwire botnet evasion persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

New-Order December-15th.xlsx

Resource

win7v20201028

netwire botnet evasion persistence rat stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

New-Order December-15th.xlsx

Resource

win10v20201028

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  New-Order December-15th.xlsx
- Size
  
  2.3MB
- MD5
  
  e03ed5e77e5800540f0448a8318eaf34
- SHA1
  
  56af39d425961607df89dabb30480038828701c0
- SHA256
  
  3994471e828d2d7e89e3c7c07ef01662173333700ac9dc14461b3e418cb75db7
- SHA512
  
  4d26a232dd177a2670fc4272823d7de3feb30e06d9970b331c02e1b299df5dca7811e4ccae707cb4b5018d8b08af70ca2b265fe1fde5a0650ebb9e54ae01eb76
Score

10^/10

netwire botnet evasion persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Looks for VirtualBox Guest Additions in registry
  evasion
- Blocklisted process makes network request
- Executes dropped EXE
- Looks for VMWare Tools registry key
  evasion
- Modifies Installed Components in the registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetevasionpersistenceratstealer

behavioral2

© 2018-2024

Terms | Privacy