netwire

General

Target

573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd
Size

1.6MB
Sample

220725-ahs3csehgn
MD5

2c5dcf7821c1098be0c0fb0b9111b112
SHA1

0d034ed0671d6f90b3be6f92fc010ae533bdcd05
SHA256

573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd
SHA512

5e0b5f4d7f5731844e8d68743ff5092549481e93e083763dd7315eb214aa5750bf0e12ad4fe0c7f56f437bffd70a5e4886f7cb475170a69377f2631658d9987b

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Mine New

C2

manuel3.publicvm.com:1022

Mutex

QSR_MUTEX_z2tvmEKtJhCWkEoFqb

Attributes

encryption_key
lzO7ipRSIXeoGW0A0XSN
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

netwire

C2

manuel3.publicvm.com:3366

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
KosdgdKb
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Targets

- Target
  
  573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd
- Size
  
  1.6MB
- MD5
  
  2c5dcf7821c1098be0c0fb0b9111b112
- SHA1
  
  0d034ed0671d6f90b3be6f92fc010ae533bdcd05
- SHA256
  
  573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd
- SHA512
  
  5e0b5f4d7f5731844e8d68743ff5092549481e93e083763dd7315eb214aa5750bf0e12ad4fe0c7f56f437bffd70a5e4886f7cb475170a69377f2631658d9987b
Score

10^/10

netwire quasar mine new botnet rat spyware stealer suricata trojan
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

NetWire RAT payload

Quasar RAT

Quasar payload

suricata: ET MALWARE Common RAT Connectivity Check Observed

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

AutoIT Executable

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2