netwire | cb98930bce872134743d81a536af49d6d74f48d544b6eb86721595fff9f7be37 | Triage

Sharing

General

Target

cb98930bce872134743d81a536af49d6d74f48d544b6eb86721595fff9f7be37
Size

808KB
Sample

220724-zqe8xagcar
MD5

5fb94c5b4ca3090c9fcfa3eaf5a756dc
SHA1

015c63e0150aa708991c0089329bf56ef32017b9
SHA256

cb98930bce872134743d81a536af49d6d74f48d544b6eb86721595fff9f7be37
SHA512

3df0f4af100b9c243325e7769002c025acd982a502cf27493e2de77fe6e442bb02204205a5f919f47f0899788aeb0f9c643292298b9685ee6639ffd6537635e1

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

microwindws.dynu.net:3361

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
hortWgup
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Targets

- Target
  
  cb98930bce872134743d81a536af49d6d74f48d544b6eb86721595fff9f7be37
- Size
  
  808KB
- MD5
  
  5fb94c5b4ca3090c9fcfa3eaf5a756dc
- SHA1
  
  015c63e0150aa708991c0089329bf56ef32017b9
- SHA256
  
  cb98930bce872134743d81a536af49d6d74f48d544b6eb86721595fff9f7be37
- SHA512
  
  3df0f4af100b9c243325e7769002c025acd982a502cf27493e2de77fe6e442bb02204205a5f919f47f0899788aeb0f9c643292298b9685ee6639ffd6537635e1
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Drops startup file
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

netwirebotnetratstealer