netwire | 9fa55761cbb245c1f1ffae0470cac581ad2c6483e2ff35e55d1c92a66f938b44 | Triage

Submit
Reports

Overview

overview

Static

static

Quotation ...7U.exe

windows7_x64

Quotation ...7U.exe

windows10-2004_x64

Sharing

General

Target

9fa55761cbb245c1f1ffae0470cac581ad2c6483e2ff35e55d1c92a66f938b44
Size

309KB
Sample

220521-abtejscgfr
MD5

a732fb8a6b8aa55b295340f56b1c9cd2
SHA1

5bc4a1bc018bda0c5486cac927823fd975df8e74
SHA256

9fa55761cbb245c1f1ffae0470cac581ad2c6483e2ff35e55d1c92a66f938b44
SHA512

bee2b829cf25f14f50ddde9b2f0ff7e58fad82f73837db875b9c07c4222529b9cf6a45a83e7151909a910980248e3534a74d42ff177ac301dcca22afacb24d9c

Score

10^/10

netwire botnet rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

Quotation 21946 3MuR7U.exe

Resource

win7-20220414-en

netwire botnet rat stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Quotation 21946 3MuR7U.exe

Resource

win10v2004-20220414-en

netwire botnet rat stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

netwire

C2

evapimp.myq-see.com:2424

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
NEW
install_path
keylogger_dir
lock_executable
true
mutex
VtbDeAKY
offline_keylogger
false
password
evapimp
registry_autorun
false
startup_name
use_mutex
true

Targets

- Target
  
  Quotation 21946 3MuR7U.exe
- Size
  
  351KB
- MD5
  
  b5f8fb837bc7904e1689291c8d64b1ad
- SHA1
  
  4fc08863ec08a7372e7fa0449501e5fd99c3ab93
- SHA256
  
  2e54ae1fe78471492cc217d238fcd7f0158ae8f22a35e9576a91b3a6614c2d08
- SHA512
  
  9e1dcf8e46940f41ab07fe69fe6b8c3397b6429a3c0d1163f69b16a36ce4a1e3462a4a6c11c4dbba2ab9d2f23c5ef77f3fd939db4b2e62fdc7970b406fda856f
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetratstealer

behavioral2

netwirebotnetratstealer

© 2018-2024

Terms | Privacy