netwire | 7601552d259cf367d16f624395dfdd29121b837595d0b80869f6ac2b7f6f5418 | Triage

Submit
Reports

Overview

overview

Static

static

M5UG7W1B.exe

windows7_x64

M5UG7W1B.exe

windows10-2004_x64

Sharing

General

Target

7601552d259cf367d16f624395dfdd29121b837595d0b80869f6ac2b7f6f5418
Size

1.2MB
Sample

220520-2e2c4sachr
MD5

9221971641350ef04444704104405421
SHA1

cdbc6ed2d2faef895152aa7db2672f3cf5eaa038
SHA256

7601552d259cf367d16f624395dfdd29121b837595d0b80869f6ac2b7f6f5418
SHA512

feb6617a30b240335c5379b407e656135e2c88697f01739a78e324ff8aba715b86827e77f945c34e84c281390687ed6e5ed67e88ee3fdbd74e9533f799cb6885

Score

10^/10

netwire botnet rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

M5UG7W1B.exe

Resource

win7-20220414-en

netwire botnet rat stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

M5UG7W1B.exe

Resource

win10v2004-20220414-en

netwire botnet rat stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

netwire

C2

194.5.98.225:3373

194.5.98.225:3376

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
good01230123
registry_autorun
false
startup_name
use_mutex
false

Targets

- Target
  
  M5UG7W1B.EXE
- Size
  
  424KB
- MD5
  
  0da7c19fbcd9c3b0362754bbfccbcd79
- SHA1
  
  3d28a2974f0691a0fcb2ffd291b700518f6b9ac7
- SHA256
  
  35c080693f92425ef536a0b1bec2f1c1f975575da18a8c54cb16a47f97ce1d79
- SHA512
  
  88bd35861bef6e7a6db4c65baef4a32631068f6adaf99dda2d7ee93e9529729049429cc7df4eb0d64d968869d8d91051f87438bc53db49dc1c4087e17bcbf8d1
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetratstealer

behavioral2

netwirebotnetratstealer

© 2018-2024

Terms | Privacy