netwire | 0b06f4036cfeb9bebf96463b887c650c40dbde0128800dc8872318b4b13f48f5 | Triage

Submit
Reports

Overview

overview

Static

static

ORDER INQUIRY.doc

windows7_x64

ORDER INQUIRY.doc

windows10_x64

1

Sharing

General

Target

ORDER INQUIRY.doc
Size

1.5MB
Sample

210503-yaf2xe7282
MD5

76d29c28ca7c670367293ca72b21c35a
SHA1

4572896caccc56875f0223c84348531daa61d827
SHA256

0b06f4036cfeb9bebf96463b887c650c40dbde0128800dc8872318b4b13f48f5
SHA512

58a6f8a0bd66354588e65a77d554695fab02f83acedc8eef9f1483b6cc0282d8f10ebb6fe2f11dfe27d5428e5453f7aec9364b8fcc38eb912f5819ea71e598eb

Score

10^/10

netwire agilenet botnet rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

ORDER INQUIRY.doc

Resource

win7v20210408

netwire agilenet botnet rat stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

ORDER INQUIRY.doc

Resource

win10v20210410

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

netwire

C2

79.134.225.52:31360

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
keylogger_dir
lock_executable
false
mutex
offline_keylogger
false
password
Favor1000$
registry_autorun
false
startup_name
use_mutex
false

Targets

- Target
  
  ORDER INQUIRY.doc
- Size
  
  1.5MB
- MD5
  
  76d29c28ca7c670367293ca72b21c35a
- SHA1
  
  4572896caccc56875f0223c84348531daa61d827
- SHA256
  
  0b06f4036cfeb9bebf96463b887c650c40dbde0128800dc8872318b4b13f48f5
- SHA512
  
  58a6f8a0bd66354588e65a77d554695fab02f83acedc8eef9f1483b6cc0282d8f10ebb6fe2f11dfe27d5428e5453f7aec9364b8fcc38eb912f5819ea71e598eb
Score

10^/10

netwire agilenet botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwireagilenetbotnetratstealer

behavioral2

© 2018-2024

Terms | Privacy