netwire | 4f10d7a2e964aa6c91e4b2da80fe82f8a566ca8a541592a4789b48f4dba11581 | Triage

Sharing

General

Target

60d234d54c25dcef19a64ded3a587072
Size

160KB
Sample

210708-yag42b8zhx
MD5

60d234d54c25dcef19a64ded3a587072
SHA1

7209018f3e29225363f92f7e04e35ca7001dcf39
SHA256

4f10d7a2e964aa6c91e4b2da80fe82f8a566ca8a541592a4789b48f4dba11581
SHA512

a67d5a511809d0bbff7d8a327fc63e47713bb0928488028441f41dbbc75c5b759607af437b7617446e730debabc427aaf5f1b945c715e3e454d17811be921674

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

127.0.0.1:3360

66.42.43.177:443

Attributes

activex_autorun
false
activex_key
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
C:\Windows\System32\spool\drivers\color
keylogger_dir
lock_executable
false
mutex
offline_keylogger
false
password
Password
registry_autorun
true
startup_name
sysWOW32
use_mutex
false

Targets

- Target
  
  60d234d54c25dcef19a64ded3a587072
- Size
  
  160KB
- MD5
  
  60d234d54c25dcef19a64ded3a587072
- SHA1
  
  7209018f3e29225363f92f7e04e35ca7001dcf39
- SHA256
  
  4f10d7a2e964aa6c91e4b2da80fe82f8a566ca8a541592a4789b48f4dba11581
- SHA512
  
  a67d5a511809d0bbff7d8a327fc63e47713bb0928488028441f41dbbc75c5b759607af437b7617446e730debabc427aaf5f1b945c715e3e454d17811be921674
Score

10^/10

netwire botnet persistence stealer
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistencestealer

behavioral2

netwirebotnetpersistencestealer