netwire | 417b4a38fff2e60e2a4178bd99f6a7c41e3e1ddd6c4a1384982c7907e952b671 | Triage

Submit
Reports

Overview

overview

Static

static

417b4a38ff...71.exe

windows7_x64

417b4a38ff...71.exe

windows10_x64

Sharing

General

Target

417b4a38fff2e60e2a4178bd99f6a7c41e3e1ddd6c4a1384982c7907e952b671
Size

879KB
Sample

210228-k25z87ycye
MD5

b9c4eb9e4f25e6a069d6f4045e5f287f
SHA1

097022888985aafaf745dbf018b1ce7ed3056d11
SHA256

417b4a38fff2e60e2a4178bd99f6a7c41e3e1ddd6c4a1384982c7907e952b671
SHA512

dcf56268a85a47f7b223473b2ed8c55e55a480ba655ad958c7206e0ab5d6a953853ea0e224e50db999e6fc8724d4d21f0e3b406923c4cb79219822614e207cae

Score

10^/10

netwire bootkit botnet persistence rat stealer upx

Static task

static1

Behavioral task

behavioral1

Sample

417b4a38fff2e60e2a4178bd99f6a7c41e3e1ddd6c4a1384982c7907e952b671.exe

Resource

win7v20201028

netwire bootkit botnet persistence rat stealer upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

417b4a38fff2e60e2a4178bd99f6a7c41e3e1ddd6c4a1384982c7907e952b671.exe

Resource

win10v20201028

netwire botnet persistence rat stealer upx

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  417b4a38fff2e60e2a4178bd99f6a7c41e3e1ddd6c4a1384982c7907e952b671
- Size
  
  879KB
- MD5
  
  b9c4eb9e4f25e6a069d6f4045e5f287f
- SHA1
  
  097022888985aafaf745dbf018b1ce7ed3056d11
- SHA256
  
  417b4a38fff2e60e2a4178bd99f6a7c41e3e1ddd6c4a1384982c7907e952b671
- SHA512
  
  dcf56268a85a47f7b223473b2ed8c55e55a480ba655ad958c7206e0ab5d6a953853ea0e224e50db999e6fc8724d4d21f0e3b406923c4cb79219822614e207cae
Score

10^/10

netwire bootkit botnet persistence rat stealer upx
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Bootkit

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebootkitbotnetpersistenceratstealerupx

behavioral2

netwirebotnetpersistenceratstealerupx

© 2018-2024

Terms | Privacy