netwire | bafcc766822387e557ea05e8705c82a65fddcafdb96a30a22cca817aec218913 | Triage

Submit
Reports

Overview

overview

Static

static

PAYMENT_.exe

windows7_x64

PAYMENT_.exe

windows10-2004_x64

Sharing

General

Target

bafcc766822387e557ea05e8705c82a65fddcafdb96a30a22cca817aec218913
Size

3.8MB
Sample

220521-n73vraege5
MD5

161481de943f3a5113b8467e49d78ddd
SHA1

94592262b35c6f366fb72559525e606cad71304e
SHA256

bafcc766822387e557ea05e8705c82a65fddcafdb96a30a22cca817aec218913
SHA512

a84e53a15f5b5dba9e9a46eb5addb9f223ecac83b16136036c25ac4f02099c2233dd5fbe995c71730a5ecb4e68c6b1a63043cb898e7a25aea1f84ae22ac2df24

Score

10^/10

netwire botnet evasion persistence rat stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

PAYMENT_.exe

Resource

win7-20220414-en

netwire botnet evasion persistence rat stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PAYMENT_.exe

Resource

win10v2004-20220414-en

evasion persistence trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

netwire

C2

alkaline.publicvm.com:1777

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
home198
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
EEwpRdkL
offline_keylogger
true
password
Password
registry_autorun
false
startup_name
use_mutex
true

Targets

- Target
  
  PAYMENT_.EXE
- Size
  
  3.2MB
- MD5
  
  d895d1a443969940fb0386bf4202a5c6
- SHA1
  
  85af7fc7355af82007c8c00cc4822155506dcab2
- SHA256
  
  07f411bd02cb5654c8903477700a32802c0ed1f445d14144bc306a2af3aa7910
- SHA512
  
  4aa4e40fe1297f511520c1779a91c48fc13c37eea36fe2c3dfdfd07682b25736bcadfac53468465b68c3c66d44440634239b7bd97423040deb9f2cf17c86b49b
Score

10^/10

netwire botnet evasion persistence rat stealer trojan
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetevasionpersistenceratstealertrojan

behavioral2

evasionpersistencetrojan

© 2018-2024

Terms | Privacy