adwind | 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651 | Triage

Submit
Reports

Overview

overview

Static

static

3fa2905c28...51.exe

windows7_x64

3fa2905c28...51.exe

windows10-2004_x64

Sharing

General

Target

3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651
Size

813KB
Sample

220630-3tlfwaefa6
MD5

c78cc437caa7edfc9c3494c58b017e8a
SHA1

61cbbf0bef3c282c12a88fa927ce1447caffb3f7
SHA256

3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651
SHA512

bf049956c7cbf887820027f658a89f3833dccef089b50beaf3d60b8a8e539947728710d218a03d5948e9ae9b15e6640557425822daa57ef4b248bba7e81431f5

Score

10^/10

adwind netwire botnet rat stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe

Resource

win7-20220414-en

adwind netwire botnet rat stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe

Resource

win10v2004-20220414-en

netwire botnet rat stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

netwire

C2

blackhills.ddns.net:1030

213.183.58.34:1031

Attributes

activex_autorun
false
copy_executable
true
delete_original
true
host_id
Lord Of Sabbath
install_path
%AppData%\Roaming\svchost.exe
lock_executable
true
mutex
conhost
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
true

Targets

- Target
  
  3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651
- Size
  
  813KB
- MD5
  
  c78cc437caa7edfc9c3494c58b017e8a
- SHA1
  
  61cbbf0bef3c282c12a88fa927ce1447caffb3f7
- SHA256
  
  3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651
- SHA512
  
  bf049956c7cbf887820027f658a89f3833dccef089b50beaf3d60b8a8e539947728710d218a03d5948e9ae9b15e6640557425822daa57ef4b248bba7e81431f5
Score

10^/10

adwind netwire botnet rat stealer trojan
- AdWind
  A Java-based RAT family operated as malware-as-a-service.
  trojan adwind
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

adwindnetwirebotnetratstealertrojan

behavioral2

netwirebotnetratstealer

© 2018-2024

Terms | Privacy