netwire | 4d56278b029bdc00e31be2e1c2fbc5466e5922021339f76d9cd85627d2cbbe4d | Triage

Submit
Reports

Overview

overview

Static

static

Quote.xll

windows7-x64

7

Quote.xll

windows10-2004-x64

Sharing

General

Target

Quote.xll
Size

3.5MB
Sample

220720-xd2v2afbf6
MD5

a8e4d303989a278e632723fa6862d17c
SHA1

4f2e12a680fb2085ee688eedf12a28dc37276f70
SHA256

4d56278b029bdc00e31be2e1c2fbc5466e5922021339f76d9cd85627d2cbbe4d
SHA512

84d69b24e644409578392bb68a109a863820ddf6915efae1e82e686203c2dd6fd9e390589f6f6e500d17bc2528f2425a8d803db2b5dbe43aadd03c4b8e65679e

Score

10^/10

netwire botnet rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

Quote.xll

Resource

win7-20220715-en

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

Quote.xll

Resource

win10v2004-20220414-en

netwire botnet rat stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

netwire

C2

194.5.98.126:3378

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Pass@2023
registry_autorun
false
use_mutex
false

Targets

- Target
  
  Quote.xll
- Size
  
  3.5MB
- MD5
  
  a8e4d303989a278e632723fa6862d17c
- SHA1
  
  4f2e12a680fb2085ee688eedf12a28dc37276f70
- SHA256
  
  4d56278b029bdc00e31be2e1c2fbc5466e5922021339f76d9cd85627d2cbbe4d
- SHA512
  
  84d69b24e644409578392bb68a109a863820ddf6915efae1e82e686203c2dd6fd9e390589f6f6e500d17bc2528f2425a8d803db2b5dbe43aadd03c4b8e65679e
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

netwirebotnetratstealer

© 2018-2024

Terms | Privacy