netwire | ab50301ca528c2cee1ed6d8ea39ceed66548cc2f8418d6487573c418dbf1a824 | Triage

Submit
Reports

Overview

overview

Static

static

P0 200522-5PRD024.exe

windows7_x64

P0 200522-5PRD024.exe

windows10-2004_x64

Sharing

General

Target

P0 200522-5PRD024.exe
Size

834KB
Sample

220520-ldak1ahfh9
MD5

8968318de8888badcd0dd9b320bb3ee6
SHA1

a6dc14ab8ed7cbbc9cc60316dc6f804850fcc82b
SHA256

ab50301ca528c2cee1ed6d8ea39ceed66548cc2f8418d6487573c418dbf1a824
SHA512

ac6ebb7c7e185b6b9c2c66cc85404f6fca734a4a4e6ab45df84f7185a4792f61964fbdf103131b0047031e65cc192da8539d9ba2fd5077ab675e0b4371a6e458

Score

10^/10

netwire botnet rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

P0 200522-5PRD024.exe

Resource

win7-20220414-en

netwire botnet rat stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

P0 200522-5PRD024.exe

Resource

win10v2004-20220414-en

netwire botnet rat stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

netwire

C2

nowancenorly.ddns.net:6969

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
keylogger_dir
lock_executable
false
mutex
pYeAqduB
offline_keylogger
false
password
Password
registry_autorun
false
startup_name
��9C��ο$75�O�h
use_mutex
false

Targets

- Target
  
  P0 200522-5PRD024.exe
- Size
  
  834KB
- MD5
  
  8968318de8888badcd0dd9b320bb3ee6
- SHA1
  
  a6dc14ab8ed7cbbc9cc60316dc6f804850fcc82b
- SHA256
  
  ab50301ca528c2cee1ed6d8ea39ceed66548cc2f8418d6487573c418dbf1a824
- SHA512
  
  ac6ebb7c7e185b6b9c2c66cc85404f6fca734a4a4e6ab45df84f7185a4792f61964fbdf103131b0047031e65cc192da8539d9ba2fd5077ab675e0b4371a6e458
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetratstealer

behavioral2

netwirebotnetratstealer

© 2018-2024

Terms | Privacy