netwire

General

Target

40c913b6837bb03dd168536710d88a05faa6a6956b1c210758a0979a6782bf62
Size

175KB
Sample

220708-rnwh4sdedq
MD5

1d92475e5f11ddf8256835c4bfb196a3
SHA1

c40bc3e3fd25bf6b872b0e7953c9f5d833b522de
SHA256

40c913b6837bb03dd168536710d88a05faa6a6956b1c210758a0979a6782bf62
SHA512

170fac19f61ade42c378811c6f11e91f62319c0b7ad77a9f1138db867bbd21ad48c54d1b3689b8e1d77be483e1a0b39bfe90dc6935e662c5f87aa823b8fc58d6

Score

10^/10

Malware Config

Extracted

Family

netwire

C2

37.233.101.73:8888

213.152.162.104:8747

213.152.162.170:8747

213.152.162.109:8747

213.152.162.89:8747

109.232.227.138:8747

109.232.227.133:8747

213.152.161.211:8747

213.152.162.94:8747

213.152.161.35:8747

213.152.180.5:8747

Attributes

activex_autorun
true
activex_key
{H15R52OJ-8CJI-H436-22TJ-P25072J3Q326}
copy_executable
true
delete_original
true
host_id
IP
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
bmhJQHdn
offline_keylogger
true
password
DAWAJkurwoKASEniePIERDOL
registry_autorun
true
startup_name
NetWire
use_mutex
true

Targets

- Target
  
  40c913b6837bb03dd168536710d88a05faa6a6956b1c210758a0979a6782bf62
- Size
  
  175KB
- MD5
  
  1d92475e5f11ddf8256835c4bfb196a3
- SHA1
  
  c40bc3e3fd25bf6b872b0e7953c9f5d833b522de
- SHA256
  
  40c913b6837bb03dd168536710d88a05faa6a6956b1c210758a0979a6782bf62
- SHA512
  
  170fac19f61ade42c378811c6f11e91f62319c0b7ad77a9f1138db867bbd21ad48c54d1b3689b8e1d77be483e1a0b39bfe90dc6935e662c5f87aa823b8fc58d6
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

NetWire RAT payload

Executes dropped EXE

Modifies Installed Components in the registry

Deletes itself

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2