netwire | 4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895 | Triage

Submit
Reports

Overview

overview

Static

static

4114804fd7...95.exe

windows7_x64

4114804fd7...95.exe

windows10-2004_x64

8

Sharing

General

Target

4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895
Size

303KB
Sample

220708-hrn4rsgcc9
MD5

144539a65d10a6ed3df334866028ba79
SHA1

7d74cbaa4552b9468aaf079dab28b2bae29d1ae9
SHA256

4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895
SHA512

33802b04f713820d4a19220b3391cde8090a3837a82fff2d23af4d8994998665d87c98195170f68b6856c58d765b96bfd64fa7163ee1cf3882416cb5de8c58e9

Score

10^/10

netwire agilenet botnet rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe

Resource

win7-20220414-en

netwire agilenet botnet rat stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe

Resource

win10v2004-20220414-en

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

netwire

C2

info1.nowddns.com:5552

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
NOW-DNS-5552
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
gqmQdKHu
offline_keylogger
true
password
caster123
registry_autorun
false
use_mutex
true

Targets

- Target
  
  4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895
- Size
  
  303KB
- MD5
  
  144539a65d10a6ed3df334866028ba79
- SHA1
  
  7d74cbaa4552b9468aaf079dab28b2bae29d1ae9
- SHA256
  
  4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895
- SHA512
  
  33802b04f713820d4a19220b3391cde8090a3837a82fff2d23af4d8994998665d87c98195170f68b6856c58d765b96bfd64fa7163ee1cf3882416cb5de8c58e9
Score

10^/10

netwire agilenet botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwireagilenetbotnetratstealer

behavioral2

© 2018-2024

Terms | Privacy