netwire | ff0b1d9f2221e78773cfed9e89f87eab3add2c872f44f7f8cd10e18e2e0e8465 | Triage

Submit
Reports

Overview

overview

Static

static

ff0b1d9f22...65.exe

windows7_x64

ff0b1d9f22...65.exe

windows10-2004_x64

Sharing

General

Target

ff0b1d9f2221e78773cfed9e89f87eab3add2c872f44f7f8cd10e18e2e0e8465
Size

632KB
Sample

220701-efzvcacgb2
MD5

29b89507364a0868ff24aa52e9f9a30f
SHA1

a33e07b0f35d1fa69c732b8ef03fbd045c1d443d
SHA256

ff0b1d9f2221e78773cfed9e89f87eab3add2c872f44f7f8cd10e18e2e0e8465
SHA512

c7c4e572fbeaa3e10c9f5754b94e56efbcbcad5f6aa2b144e8b8a12d5fd3f43e16465f0b771c39e5d94167ae95416a2a5ebaa1a1b0329c3a7ba652fb13f34611

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

ff0b1d9f2221e78773cfed9e89f87eab3add2c872f44f7f8cd10e18e2e0e8465.exe

Resource

win7-20220414-en

netwire botnet persistence rat stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

ff0b1d9f2221e78773cfed9e89f87eab3add2c872f44f7f8cd10e18e2e0e8465.exe

Resource

win10v2004-20220414-en

netwire botnet persistence rat stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

netwire

C2

missserver1000.hopto.org:8309

Attributes

activex_autorun
true
activex_key
{07Y11VWU-UPYY-ATCE-P44Q-I8QQU17V03VB}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
true
startup_name
windows
use_mutex
false

Targets

- Target
  
  ff0b1d9f2221e78773cfed9e89f87eab3add2c872f44f7f8cd10e18e2e0e8465
- Size
  
  632KB
- MD5
  
  29b89507364a0868ff24aa52e9f9a30f
- SHA1
  
  a33e07b0f35d1fa69c732b8ef03fbd045c1d443d
- SHA256
  
  ff0b1d9f2221e78773cfed9e89f87eab3add2c872f44f7f8cd10e18e2e0e8465
- SHA512
  
  c7c4e572fbeaa3e10c9f5754b94e56efbcbcad5f6aa2b144e8b8a12d5fd3f43e16465f0b771c39e5d94167ae95416a2a5ebaa1a1b0329c3a7ba652fb13f34611
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy