netwire | ca4fd6dff7f8239df42a3319e5ac833b5952d8feea4cee1da7b47d1caba3c5e7 | Triage

Submit
Reports

Overview

overview

Static

static

IN0993.xll

windows7_x64

7

IN0993.xll

windows10-2004_x64

Resubmissions

11-07-2022 14:58

220711-scddtsaber 10

04-07-2022 07:43

220704-jj8zmshed6 10

Sharing

General

Target

IN0993.xll
Size

2.0MB
Sample

220704-jj8zmshed6
MD5

45b3cdfe2d7971c747b467b330477052
SHA1

fac617c572c67af3dcf43f45ddfa04f5e1fb0372
SHA256

ca4fd6dff7f8239df42a3319e5ac833b5952d8feea4cee1da7b47d1caba3c5e7
SHA512

f76a1af73034f9c411a891e56faa223a1b244a5f25f90e74fad082f37054fda9372e581cdd9834df0ffa9df414323bc99dbf82f9e76908b84073621990b5437a

Score

10^/10

netwire botnet rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

IN0993.xll

Resource

win7-20220414-en

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

IN0993.xll

Resource

win10v2004-20220414-en

netwire botnet rat stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

netwire

C2

194.5.98.126:3378

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Pass@2023
registry_autorun
false
use_mutex
false

Targets

- Target
  
  IN0993.xll
- Size
  
  2.0MB
- MD5
  
  45b3cdfe2d7971c747b467b330477052
- SHA1
  
  fac617c572c67af3dcf43f45ddfa04f5e1fb0372
- SHA256
  
  ca4fd6dff7f8239df42a3319e5ac833b5952d8feea4cee1da7b47d1caba3c5e7
- SHA512
  
  f76a1af73034f9c411a891e56faa223a1b244a5f25f90e74fad082f37054fda9372e581cdd9834df0ffa9df414323bc99dbf82f9e76908b84073621990b5437a
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

netwirebotnetratstealer

© 2018-2024

Terms | Privacy