netwire | 74ea48927311f7729e492a810c7ce69730d10c7161fe971363a2f561565f974b | Triage

Submit
Reports

Overview

overview

Static

static

SCAN_702.exe

windows7_x64

SCAN_702.exe

windows10-2004_x64

Sharing

General

Target

74ea48927311f7729e492a810c7ce69730d10c7161fe971363a2f561565f974b
Size

1.2MB
Sample

220521-c8qe9sfbg4
MD5

6807012d3da7b63fde88f40a9fbb57d6
SHA1

d1e458e05807c7df506798987d7019ea8c71c05d
SHA256

74ea48927311f7729e492a810c7ce69730d10c7161fe971363a2f561565f974b
SHA512

56288b85fd0ac2602aedb2e2de0d3e1d804a129469cf7850ab5cef2bc4221467dcd31d65d05bdb8a8c10cb6f593bf3e2830110aada0f0305d770aee665cf4197

Score

10^/10

netwire botnet rat rezer0 stealer

Static task

static1

Behavioral task

behavioral1

Sample

SCAN_702.exe

Resource

win7-20220414-en

netwire botnet rat rezer0 stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

SCAN_702.exe

Resource

win10v2004-20220414-en

netwire botnet rat stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

netwire

C2

winx.xcapdatap.capetown:7390

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
Jagz_$$$
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
P@55w0rd!
registry_autorun
false
startup_name
use_mutex
false

Targets

- Target
  
  SCAN_702.EXE
- Size
  
  305KB
- MD5
  
  a8f1e8384b7604be4ceba25ca83f7134
- SHA1
  
  61dd45925f9a708069216a915b4b5ffd6555babf
- SHA256
  
  ccd667e3a1a0577ed841968990cb37790e1e6f0fb4ceb1a2f947ef391d68dd4d
- SHA512
  
  10621714d096089923664cb0fc5eb7f8af165dc22048ff69c8589ec2ba4c19c41e2888f2bb14713580ada661a53fe86ff155501192ec9f1d4f2277c8bab75e4e
Score

10^/10

netwire botnet rat rezer0 stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetratrezer0stealer

behavioral2

netwirebotnetratstealer

© 2018-2024

Terms | Privacy