netwire | bb988ff7e440eb871321f3d5ee94c7d241d4929e57b0e687e3ee61466b6880f6 | Triage

Submit
Reports

Overview

overview

Static

static

Lnsathwafh...ed.exe

windows7_x64

Lnsathwafh...ed.exe

windows10_x64

Sharing

General

Target

LnsathwafhvylbbptobwoppapjxmujmvteSigned.exe
Size

277KB
Sample

210626-g36vg9wyf2
MD5

4e2ff191c86e45f399d0f31a5c42b60b
SHA1

1e399895e5837ac9a77a1fa890a82a92e9e6c14d
SHA256

bb988ff7e440eb871321f3d5ee94c7d241d4929e57b0e687e3ee61466b6880f6
SHA512

818b9a4e9ef9542c2a992ca5896bc236d7ab7d0948f44f8dfecc1097b439ff3192727cfa4a765b6452bb265f541f136e65987c719e640573e5508ad2c0d6df89

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

LnsathwafhvylbbptobwoppapjxmujmvteSigned.exe

Resource

win7v20210410

netwire botnet persistence rat stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

LnsathwafhvylbbptobwoppapjxmujmvteSigned.exe

Resource

win10v20210408

netwire botnet persistence rat stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

netwire

C2

147.124.221.3:2405

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
keylogger_dir
%AppData%\Logs\Service\
lock_executable
true
mutex
EgYSugKI
offline_keylogger
true
password
Password
registry_autorun
false
startup_name
use_mutex
true

Targets

- Target
  
  LnsathwafhvylbbptobwoppapjxmujmvteSigned.exe
- Size
  
  277KB
- MD5
  
  4e2ff191c86e45f399d0f31a5c42b60b
- SHA1
  
  1e399895e5837ac9a77a1fa890a82a92e9e6c14d
- SHA256
  
  bb988ff7e440eb871321f3d5ee94c7d241d4929e57b0e687e3ee61466b6880f6
- SHA512
  
  818b9a4e9ef9542c2a992ca5896bc236d7ab7d0948f44f8dfecc1097b439ff3192727cfa4a765b6452bb265f541f136e65987c719e640573e5508ad2c0d6df89
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy