netwire | 9499b0710260447af9975b01db876704513975a9a97c119bf004cc4d497ae0b5 | Triage

Submit
Reports

Overview

overview

Static

static

9499b07102...b5.exe

windows7_x64

9499b07102...b5.exe

windows10-2004_x64

Sharing

General

Target

9499b0710260447af9975b01db876704513975a9a97c119bf004cc4d497ae0b5
Size

1.9MB
Sample

220708-sx6k4sace8
MD5

51fbd9736548de79bdbbece7db6ed4ab
SHA1

2f2c1933a2bd9939eddeffd6615c6ffcb10803c1
SHA256

9499b0710260447af9975b01db876704513975a9a97c119bf004cc4d497ae0b5
SHA512

2f154955e01b8c04dcb07d9728fbdd169d2fee695d98e57a9a95b6e44e305897fc95eae19c121b9a23bdb06598ae9bb4df76496357d29e0238d5e976ddb9ebf4

Score

10^/10

netwire botnet evasion persistence rat stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

9499b0710260447af9975b01db876704513975a9a97c119bf004cc4d497ae0b5.exe

Resource

win7-20220414-en

netwire botnet evasion persistence rat stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

9499b0710260447af9975b01db876704513975a9a97c119bf004cc4d497ae0b5.exe

Resource

win10v2004-20220414-en

evasion persistence trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

netwire

C2

timduck.duckdns.org:1194

Attributes

activex_autorun
false
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
HXiMHiTC
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
NetWire
use_mutex
true

Targets

- Target
  
  9499b0710260447af9975b01db876704513975a9a97c119bf004cc4d497ae0b5
- Size
  
  1.9MB
- MD5
  
  51fbd9736548de79bdbbece7db6ed4ab
- SHA1
  
  2f2c1933a2bd9939eddeffd6615c6ffcb10803c1
- SHA256
  
  9499b0710260447af9975b01db876704513975a9a97c119bf004cc4d497ae0b5
- SHA512
  
  2f154955e01b8c04dcb07d9728fbdd169d2fee695d98e57a9a95b6e44e305897fc95eae19c121b9a23bdb06598ae9bb4df76496357d29e0238d5e976ddb9ebf4
Score

10^/10

netwire botnet evasion persistence rat stealer trojan
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Windows security bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetevasionpersistenceratstealertrojan

behavioral2

evasionpersistencetrojan

© 2018-2024

Terms | Privacy