netwire | d8a894ca9c345df1256919aea2edf37ad3f85abb0438583edbbb80e1d607a011 | Triage

Submit
Reports

Overview

overview

Static

static

INV00683.xll

windows7_x64

7

INV00683.xll

windows10-2004_x64

Resubmissions

11-07-2022 14:58

220711-sck4nsabfm 10

04-07-2022 07:43

220704-jj8zmsfdcj 10

Sharing

General

Target

INV00683.xll
Size

3.4MB
Sample

220704-jj8zmsfdcj
MD5

ff550b5bce8ec18d844cc314b74b5b1f
SHA1

df4915ca11e7ab294c81497180f3a761bde4ceda
SHA256

d8a894ca9c345df1256919aea2edf37ad3f85abb0438583edbbb80e1d607a011
SHA512

25b42bf8eaf69c1de25c8ab90cbbf0566cddb57751a81b10d1b6196ce7ebcf1de7f6b4742eefceab70957ceea3163287ea50c7b0c0774138a023c2a2feaed87b

Score

10^/10

netwire botnet rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

INV00683.xll

Resource

win7-20220414-en

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

INV00683.xll

Resource

win10v2004-20220414-en

netwire botnet rat stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

netwire

C2

194.5.98.126:3378

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Pass@2023
registry_autorun
false
use_mutex
false

Targets

- Target
  
  INV00683.xll
- Size
  
  3.4MB
- MD5
  
  ff550b5bce8ec18d844cc314b74b5b1f
- SHA1
  
  df4915ca11e7ab294c81497180f3a761bde4ceda
- SHA256
  
  d8a894ca9c345df1256919aea2edf37ad3f85abb0438583edbbb80e1d607a011
- SHA512
  
  25b42bf8eaf69c1de25c8ab90cbbf0566cddb57751a81b10d1b6196ce7ebcf1de7f6b4742eefceab70957ceea3163287ea50c7b0c0774138a023c2a2feaed87b
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

netwirebotnetratstealer

© 2018-2024

Terms | Privacy