netwire | 36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4 | Triage

Submit
Reports

Overview

overview

Static

static

3631325499...a4.exe

windows7_x64

3631325499...a4.exe

windows10-2004_x64

Sharing

General

Target

36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4
Size

1.6MB
Sample

220626-dvvcqshab7
MD5

5abea2f9a0aece3b29fa571b4d15c887
SHA1

d9959bb0087f2c985b603cee0e760f3e0faaab15
SHA256

36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4
SHA512

519dd6a0bc6740e46eb9146080c8097260e9ab0baac88e4311fb74fb171ee8c1d0324d7ba283c25d3c83bc9ee72e0a35c59a5627bce03f7b2b43c5405d16d685

Score

10^/10

netwire botnet rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4.exe

Resource

win7-20220414-en

netwire botnet rat stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4.exe

Resource

win10v2004-20220414-en

netwire botnet rat stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

netwire

C2

10.59.38.14:2342

Attributes

activex_autorun
false
copy_executable
true
delete_original
true
host_id
WindowsUpdate
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
xxwRTjnM
offline_keylogger
true
password
Bigman2017
registry_autorun
false
use_mutex
true

Targets

- Target
  
  36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4
- Size
  
  1.6MB
- MD5
  
  5abea2f9a0aece3b29fa571b4d15c887
- SHA1
  
  d9959bb0087f2c985b603cee0e760f3e0faaab15
- SHA256
  
  36313254993f83019d1d7822abb6d326eaa1706573dadc3fea640b97338b04a4
- SHA512
  
  519dd6a0bc6740e46eb9146080c8097260e9ab0baac88e4311fb74fb171ee8c1d0324d7ba283c25d3c83bc9ee72e0a35c59a5627bce03f7b2b43c5405d16d685
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetratstealer

behavioral2

netwirebotnetratstealer

© 2018-2024

Terms | Privacy