netwire | c539c08e04ef8ab4ee18e69ab3346214ffcbfd262679c558f7b5ca651767d61d | Triage

Submit
Reports

Overview

overview

Static

static

D1682AA725...55.exe

windows7_x64

D1682AA725...55.exe

windows10_x64

Sharing

General

Target

D1682AA725C47B89C2066CFEAA8B3B55.exe
Size

793KB
Sample

210724-nrywbp1j3s
MD5

d1682aa725c47b89c2066cfeaa8b3b55
SHA1

c802cfd2f442200bafaf6a5fbeb70f52ee846bb2
SHA256

c539c08e04ef8ab4ee18e69ab3346214ffcbfd262679c558f7b5ca651767d61d
SHA512

f33216e03bbbb28c6238c903eec0871d6ed4cf7ebe15ebd5ac0dbfd9c468e661e1ec3a9010c571b45176a549f15055b7b85e98c5a35ece4a5f22ed311943b43f

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

D1682AA725C47B89C2066CFEAA8B3B55.exe

Resource

win7v20210410

netwire botnet persistence rat stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

D1682AA725C47B89C2066CFEAA8B3B55.exe

Resource

win10v20210408

netwire botnet persistence rat stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

netwire

C2

nozomi.takanome.io:9030

hikari.takanome.io:9030

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
keylogger_dir
%AppData%\Syslog\
lock_executable
false
mutex
offline_keylogger
true
password
Jtenike70+
registry_autorun
false
startup_name
use_mutex
false

Targets

- Target
  
  D1682AA725C47B89C2066CFEAA8B3B55.exe
- Size
  
  793KB
- MD5
  
  d1682aa725c47b89c2066cfeaa8b3b55
- SHA1
  
  c802cfd2f442200bafaf6a5fbeb70f52ee846bb2
- SHA256
  
  c539c08e04ef8ab4ee18e69ab3346214ffcbfd262679c558f7b5ca651767d61d
- SHA512
  
  f33216e03bbbb28c6238c903eec0871d6ed4cf7ebe15ebd5ac0dbfd9c468e661e1ec3a9010c571b45176a549f15055b7b85e98c5a35ece4a5f22ed311943b43f
Score

10^/10

netwire botnet persistence rat stealer
- Modifies WinLogon for persistence
  persistence
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy