netwire | 45758c4c53cd20b6f598a9cba7185150543d829eee00aaa8dc565cefd59e9909 | Triage

Submit
Reports

Overview

overview

Static

static

SecuriteIn...84.exe

windows7_x64

SecuriteIn...84.exe

windows10_x64

Sharing

General

Target

SecuriteInfo.com.Backdoor.Remcos.20284
Size

866KB
Sample

201215-cwn2cnz46s
MD5

d543a59ba12985acaf4134c3ff427b86
SHA1

626f4d2877429d63586bc0ccfdf313911b6817c8
SHA256

45758c4c53cd20b6f598a9cba7185150543d829eee00aaa8dc565cefd59e9909
SHA512

80bfd4931b4a0e032fd583544cdf4fe36a0791d988b3ccfdcffe826fb1f93dabadf9de7f0a309da5eca1972839420e0c4bac796b9768d740075980459962689e

Score

10^/10

netwire botnet evasion persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

SecuriteInfo.com.Backdoor.Remcos.20284.exe

Resource

win7v20201028

netwire botnet evasion persistence rat stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

SecuriteInfo.com.Backdoor.Remcos.20284.exe

Resource

win10v20201028

netwire botnet evasion persistence rat stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  SecuriteInfo.com.Backdoor.Remcos.20284
- Size
  
  866KB
- MD5
  
  d543a59ba12985acaf4134c3ff427b86
- SHA1
  
  626f4d2877429d63586bc0ccfdf313911b6817c8
- SHA256
  
  45758c4c53cd20b6f598a9cba7185150543d829eee00aaa8dc565cefd59e9909
- SHA512
  
  80bfd4931b4a0e032fd583544cdf4fe36a0791d988b3ccfdcffe826fb1f93dabadf9de7f0a309da5eca1972839420e0c4bac796b9768d740075980459962689e
Score

10^/10

netwire botnet evasion persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Modifies Installed Components in the registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetevasionpersistenceratstealer

behavioral2

netwirebotnetevasionpersistenceratstealer

© 2018-2024

Terms | Privacy