netwire | 9530267408a020ad51d1152af9d09129f78ac294080ba334cc6843a9a44d07e6 | Triage

Submit
Reports

Overview

overview

Static

static

Proof of Payment.exe

windows7_x64

Proof of Payment.exe

windows10-2004_x64

Sharing

General

Target

9530267408a020ad51d1152af9d09129f78ac294080ba334cc6843a9a44d07e6
Size

962KB
Sample

220520-ryvpkagff6
MD5

ec95eb77dd1677247650557c9d335a2e
SHA1

c363936a59e10cc2eb2934d420964b5a0bf96892
SHA256

9530267408a020ad51d1152af9d09129f78ac294080ba334cc6843a9a44d07e6
SHA512

28540b21dfb1815a58ba3051c5e91f74e59a68ce2ff81288e8f49e4bbfdd47a3bf276eee7d117a621363c3cccb572a8d357ded2b55edd09015cbd7bc73ea2b4c

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

Proof of Payment.exe

Resource

win7-20220414-en

netwire botnet persistence rat stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Proof of Payment.exe

Resource

win10v2004-20220414-en

netwire botnet persistence rat stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

netwire

C2

154.16.93.182:3361

154.16.93.182:3368

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
south123456
registry_autorun
false
startup_name
use_mutex
false

Targets

- Target
  
  Proof of Payment.exe
- Size
  
  1.1MB
- MD5
  
  f818cb764aab5e0d02545172edf9d6a3
- SHA1
  
  019ed52ad6f7026e83ce7ed2c63d3ca62f3d9276
- SHA256
  
  5f2b6faf1de19342f874c50bad45b66727e24218cd8d2610f7d3fbb5d47cccab
- SHA512
  
  f4d635f57e2ed13b2f3a3ed057ed9da08bcda819c8925049d0b0fb60f3c9c461646c353d39f85766e6309b324a27f091aef3591fcdc49a1765648635a0acf1ab
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy