netwire

General

Target

5683c67bace862ceec5ecee12100ff01374445e2b5b1c2896dbb593cfc5e87cb
Size

580KB
Sample

220701-dq98dshfhm
MD5

2024f8a7ec2df07582ad0f2e982ddcdb
SHA1

d5ba5fb8e0be66cf77ef368179d5c21f790ca911
SHA256

5683c67bace862ceec5ecee12100ff01374445e2b5b1c2896dbb593cfc5e87cb
SHA512

e14384b4f038ed34d7ca540382ac07a77df08cb865077e432f00a0d9a93152bb7264c476f1e33f3a95d75973d9c78c8a4ed167cc9ce10f8e82adf5b95d077c36

Score

10^/10

Malware Config

Extracted

Family

netwire

C2

79.134.225.120:8765

Attributes

activex_autorun
true
activex_key
{L501JP3X-C6PC-RH36-475X-RS2C2OQHHGS0}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
true
startup_name
windows
use_mutex
false

Targets

- Target
  
  5683c67bace862ceec5ecee12100ff01374445e2b5b1c2896dbb593cfc5e87cb
- Size
  
  580KB
- MD5
  
  2024f8a7ec2df07582ad0f2e982ddcdb
- SHA1
  
  d5ba5fb8e0be66cf77ef368179d5c21f790ca911
- SHA256
  
  5683c67bace862ceec5ecee12100ff01374445e2b5b1c2896dbb593cfc5e87cb
- SHA512
  
  e14384b4f038ed34d7ca540382ac07a77df08cb865077e432f00a0d9a93152bb7264c476f1e33f3a95d75973d9c78c8a4ed167cc9ce10f8e82adf5b95d077c36
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

NetWire RAT payload

Executes dropped EXE

Modifies Installed Components in the registry

Loads dropped DLL

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2