netwire | a16c2ce4087427f7ea26a1100bebb47a9d5cc46cb9490a1213a29f904d7e62a5 | Triage

Submit
Reports

Overview

overview

Static

static

IMG SCAN C...ER.exe

windows7_x64

IMG SCAN C...ER.exe

windows10-2004_x64

Sharing

General

Target

a16c2ce4087427f7ea26a1100bebb47a9d5cc46cb9490a1213a29f904d7e62a5
Size

1.2MB
Sample

220521-d8bgsacacq
MD5

38963cf2710e9d4a825893a5673b7281
SHA1

ea76747348f5edc0453976d0c9fb2b7b424e8306
SHA256

a16c2ce4087427f7ea26a1100bebb47a9d5cc46cb9490a1213a29f904d7e62a5
SHA512

0f1676a854a9d8ab39b6fccc9c90f50bff308295eddd29bc287bae5e498bb855e59da4dabcb845c9b5db0cff5af470d8e99053aeed792638325657eb5a01a0d8

Score

10^/10

netwire botnet rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

IMG SCAN COPY PO ORDER.exe

Resource

win7-20220414-en

netwire botnet rat stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

IMG SCAN COPY PO ORDER.exe

Resource

win10v2004-20220414-en

netwire botnet rat stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

netwire

C2

twohoes.duckdns.org:1710

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
Turkey
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
Master45
registry_autorun
false
startup_name
use_mutex
false

Targets

- Target
  
  IMG SCAN COPY PO ORDER.exe
- Size
  
  1.1MB
- MD5
  
  d939a9aa374ef97b17cbaa102ddab108
- SHA1
  
  4ee65b0f46ef7b369589544faa212cbd790298b9
- SHA256
  
  1ac8944d42d3a594940bbd74613193bc47430b6c6c958caf9a5b4521bd9efb91
- SHA512
  
  f0557cc439f35dadbae662fe5295acdccfa481899c44cd50bd0f3f3fae4d39e4a7aa2f7ae42c91f1541d22fc4e87a1fffac7051cc84fb1ae568715a63cf2eaf1
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetratstealer

behavioral2

netwirebotnetratstealer

© 2018-2024

Terms | Privacy