netwire | d6d4d55f2df43c5d2a35a96b53ac0f949673a901ce8aeb41ed1144ecb7b3ba09 | Triage

Submit
Reports

Overview

overview

Static

static

ORDER SPEC...ION.js

windows7_x64

ORDER SPEC...ION.js

windows10-2004_x64

Sharing

General

Target

ORDER SPECIFICATION.js
Size

81KB
Sample

220620-jgc47adad7
MD5

8c577d950786e8262f22dd3c23ca8c07
SHA1

a933a3f7da664089ab715ee06ca9fdf17d9ef318
SHA256

d6d4d55f2df43c5d2a35a96b53ac0f949673a901ce8aeb41ed1144ecb7b3ba09
SHA512

21217ecf4c1f0aba4c72e3a7cb1d49643d506aed4ca59753e052090c4df2d8f2f607c46d7a2b95802f1686f48d45e8ca9fd0cd851ce66ecf6ce88b17db4d7c40

Score

10^/10

netwire vjw0rm botnet persistence rat stealer trojan worm

Static task

static1

Behavioral task

behavioral1

Sample

ORDER SPECIFICATION.js

Resource

win7-20220414-en

netwire vjw0rm botnet persistence rat stealer trojan worm

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

ORDER SPECIFICATION.js

Resource

win10v2004-20220414-en

vjw0rm persistence trojan worm

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

netwire

C2

netuwaya.servecounterstrike.com:4734

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Targets

- Target
  
  ORDER SPECIFICATION.js
- Size
  
  81KB
- MD5
  
  8c577d950786e8262f22dd3c23ca8c07
- SHA1
  
  a933a3f7da664089ab715ee06ca9fdf17d9ef318
- SHA256
  
  d6d4d55f2df43c5d2a35a96b53ac0f949673a901ce8aeb41ed1144ecb7b3ba09
- SHA512
  
  21217ecf4c1f0aba4c72e3a7cb1d49643d506aed4ca59753e052090c4df2d8f2f607c46d7a2b95802f1686f48d45e8ca9fd0cd851ce66ecf6ce88b17db4d7c40
Score

10^/10

netwire vjw0rm botnet persistence rat stealer trojan worm
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirevjw0rmbotnetpersistenceratstealertrojanworm

behavioral2

vjw0rmpersistencetrojanworm

© 2018-2024

Terms | Privacy