netwire | a36e885bc0c8a691dda06f59183df0c1d9aa95d5b3be78e7f15e06112df91dd3 | Triage

Submit
Reports

Overview

overview

Static

static

Invoice2.xll

windows7-x64

7

Invoice2.xll

windows10-2004-x64

Sharing

General

Target

Invoice2.xll
Size

1.8MB
Sample

220715-n9qyzabebl
MD5

404a960e1f8906c4be238963f40ac58d
SHA1

71793267556d9a66f3c324a94cb14593cbde5e55
SHA256

a36e885bc0c8a691dda06f59183df0c1d9aa95d5b3be78e7f15e06112df91dd3
SHA512

b3d28093046166806c37034dbcf129a0353645bc257891146b541fd522baf79f8a0b4376dd5bd5151d2f49ecd99b997c0ede0f15550dda147174187fe5ff11a4

Score

10^/10

netwire botnet rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

Invoice2.xll

Resource

win7-20220414-en

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

Invoice2.xll

Resource

win10v2004-20220414-en

netwire botnet rat stealer

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

netwire

C2

194.5.98.188:3364

194.5.98.188:3366

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
j5m52xuc
registry_autorun
false
use_mutex
false

Targets

- Target
  
  Invoice2.xll
- Size
  
  1.8MB
- MD5
  
  404a960e1f8906c4be238963f40ac58d
- SHA1
  
  71793267556d9a66f3c324a94cb14593cbde5e55
- SHA256
  
  a36e885bc0c8a691dda06f59183df0c1d9aa95d5b3be78e7f15e06112df91dd3
- SHA512
  
  b3d28093046166806c37034dbcf129a0353645bc257891146b541fd522baf79f8a0b4376dd5bd5151d2f49ecd99b997c0ede0f15550dda147174187fe5ff11a4
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

netwirebotnetratstealer

© 2018-2024

Terms | Privacy