netwire | fd28c96c3d45259a13d5e205ff342464025e6f451a258c6a524e6463e7f7fec1 | Triage

Submit
Reports

Overview

overview

Static

static

Swift Copy.exe

windows7_x64

Swift Copy.exe

windows10-2004_x64

Sharing

General

Target

fd28c96c3d45259a13d5e205ff342464025e6f451a258c6a524e6463e7f7fec1
Size

227KB
Sample

220520-2rt5kafhc3
MD5

213b1e3e594c7908af76d807649208c1
SHA1

226c95da6310b43b5545f34f6d07d7d2458cec24
SHA256

fd28c96c3d45259a13d5e205ff342464025e6f451a258c6a524e6463e7f7fec1
SHA512

a1237517281d78ae951ef3daa42301b51c78c91a2e1ab3e5a50067f96428272a99d20d6bc683c79f4686aa92dff02207249af71c02f8064db0d4da2dc0c33757

Score

10^/10

netwire botnet rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

Swift Copy.exe

Resource

win7-20220414-en

netwire botnet rat stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Swift Copy.exe

Resource

win10v2004-20220414-en

netwire botnet rat stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

netwire

C2

185.244.29.161:1591

Attributes

activex_autorun
false
activex_key
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
NeiqFfto
offline_keylogger
true
password
Password
registry_autorun
false
startup_name
use_mutex
true

Targets

- Target
  
  Swift Copy.exe
- Size
  
  341KB
- MD5
  
  b864067e3fa697652752fcd54f2b0621
- SHA1
  
  b9c2af989e2a4665df92e734bf7e1894ad9b873f
- SHA256
  
  9b8107f42878501861702cac98baea7034b91231b362ce08741479aaf7c6cf4d
- SHA512
  
  6e37f92c0833881d8a533e5d696d536af4c10b0b835f5c65d979961a07784ea70ca9ae2942248a32251a892eef296e6c5f9f19ebf71d373320cb5e78a1d8eac5
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetratstealer

behavioral2

netwirebotnetratstealer

© 2018-2024

Terms | Privacy