Overview

overview

10

Static

static

Document.exe

windows7_x64

10

Document.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Document.exe

  • Size

    1.1MB

  • Sample

    211020-pxcfgshhhm

  • MD5

    aff627753fddc208e8610d54b0f4be65

  • SHA1

    fc5ba331a20f2cd34d184b12f8c28445146866ec

  • SHA256

    6814190b4099c532caabe663df73d8ee0c7d70b55db3c69c56eefc1dc1d162f5

  • SHA512

    171d0eab964de449db860c7a89cf8fc07ad4e536c56762bdff1297146581bb63e4047aa1f241b4263f4dd83662538b231d77aa25015e1b60fee01805d1819bc1

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

freelife.mywire.org:6655

freelife01.mywire.org:6655

freelife2.mywire.org:6655

freelife3.mywire.org:6655

freelife4.mywire.org:6655

freelife5.mywire.org:6655

freelife6.mywire.org:6655
Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    5056

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Targets

    • Target

      Document.exe

    • Size

      1.1MB

    • MD5

      aff627753fddc208e8610d54b0f4be65

    • SHA1

      fc5ba331a20f2cd34d184b12f8c28445146866ec

    • SHA256

      6814190b4099c532caabe663df73d8ee0c7d70b55db3c69c56eefc1dc1d162f5

    • SHA512

      171d0eab964de449db860c7a89cf8fc07ad4e536c56762bdff1297146581bb63e4047aa1f241b4263f4dd83662538b231d77aa25015e1b60fee01805d1819bc1

    Score
    10/10
    netwirebotnetpersistenceratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks