netwire | 0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e | Triage

Submit
Reports

Overview

overview

Static

static

0096d73eaf...0e.exe

windows7_x64

0096d73eaf...0e.exe

windows10-2004_x64

Sharing

General

Target

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e
Size

2.6MB
Sample

220708-stx5kaaah5
MD5

c61b4229f2a9e1d05569736a4faf29d1
SHA1

2e1207d54b55dd7aad206b2722696b1b07953e64
SHA256

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e
SHA512

9bffa6b6afefa1f9c40c19b5e89803ce0be56ea92dd8c6f585f9275a998e6c71a9f08b8604f6885ce02aea2c471dd10ff0c6eb6a8ddb49188aec9e99b99f7a0c

Score

10^/10

netwire botnet evasion persistence rat stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

Resource

win7-20220414-en

netwire botnet evasion persistence rat stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

Resource

win10v2004-20220414-en

netwire botnet evasion persistence rat stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

netwire

C2

haija.mine.nu:1338

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Data Encoder
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
qays1122
registry_autorun
false
use_mutex
false

Targets

- Target
  
  0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e
- Size
  
  2.6MB
- MD5
  
  c61b4229f2a9e1d05569736a4faf29d1
- SHA1
  
  2e1207d54b55dd7aad206b2722696b1b07953e64
- SHA256
  
  0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e
- SHA512
  
  9bffa6b6afefa1f9c40c19b5e89803ce0be56ea92dd8c6f585f9275a998e6c71a9f08b8604f6885ce02aea2c471dd10ff0c6eb6a8ddb49188aec9e99b99f7a0c
Score

10^/10

netwire botnet evasion persistence rat stealer trojan
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Turns off Windows Defender SpyNet reporting
  evasion
- Windows security bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Disabling Security Tools

Install Root Certificate

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetevasionpersistenceratstealertrojan

behavioral2

netwirebotnetevasionpersistenceratstealertrojan

© 2018-2024

Terms | Privacy