netwire | a6390106edb370abb8e883ad0086cd2859682d90d4561f997ecb464f44fd0432

Sharing

Copy URL

Twitter E-mail

General

Target

a6390106edb370abb8e883ad0086cd2859682d90d4561f997ecb464f44fd0432
Size

105KB
MD5

e1feabc1d68e3240a27c8439bd10a6b9
SHA1

4a6305b9bed952db5f7ad5fa83cce36494f4c19b
SHA256

a6390106edb370abb8e883ad0086cd2859682d90d4561f997ecb464f44fd0432
SHA512

3fbf8d44523f6f5ca2d674ba2e6e7e54041a47b985e0cea846744c30bfe7925b21348f47fb89fc6bae3a31247862fbcfdac64468e07a5692e1461a423eadb719
SSDEEP

1536:W+kWqNoD2BUvkeO6Vwu1CwNGG6nJnwSN3QPD6B1FfZ1qkHQemwZSbUgoDwSTyn:WdWSUvu0CwNcnFzZI+myDXTyn

Score

10^/10

rat netwire

Malware Config

Extracted

Family

netwire

engine79.ddns.net:4414

chrisle79.ddns.net:4414

jacknop79.ddns.net:4414

smath79.ddns.net:4414

whatis79.ddns.net:4414

goodgt79.ddns.net:4414

bonding79.ddns.net:4414

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
June 2019
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
nrYPKjrp
offline_keylogger
true
password
Password2$
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 1 IoCs
rat

Processes:

resource yara_rule

sample netwire
Netwire family
netwire

resource	yara_rule
sample	netwire

Files

a6390106edb370abb8e883ad0086cd2859682d90d4561f997ecb464f44fd0432
.exe windows x64

e1c7c518b9eed89ccdd036e87dc17f07

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Imports

advapi32

CryptAcquireContextA
CryptCreateHash
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptReleaseContext
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA

crypt32

CryptUnprotectData

gdi32

BitBlt
CreateCompatibleBitmap
CreateCompatibleDC
DeleteDC
DeleteObject
GetDIBits
SelectObject

kernel32

CloseHandle
CreateDirectoryA
CreateFileA
CreateMutexA
CreatePipe
CreateProcessA
CreateToolhelp32Snapshot
DeleteCriticalSection
DeleteFileA
EnterCriticalSection
ExitProcess
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
GetCommandLineA
GetComputerNameA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDiskFreeSpaceExA
GetDriveTypeA
GetFileAttributesA
GetFileAttributesExA
GetLastError
GetLocalTime
GetLogicalDriveStringsA
GetModuleFileNameA
GetProcAddress
GetProcessTimes
GetStartupInfoA
GetSystemInfo
GetSystemTime
GetSystemTimeAsFileTime
GetTickCount
GetVersionExA
GetVolumeInformationA
InitializeCriticalSection
LeaveCriticalSection
LoadLibraryA
LocalFree
MoveFileA
OpenProcess
PeekNamedPipe
Process32First
Process32Next
QueryPerformanceCounter
ReadFile
ReleaseMutex
ResumeThread
RtlAddFunctionTable
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
SetErrorMode
SetFileAttributesA
SetFilePointer
SetUnhandledExceptionFilter
Sleep
TerminateProcess
TlsGetValue
UnhandledExceptionFilter
VirtualProtect
VirtualQuery
WideCharToMultiByte
WriteFile
__C_specific_handler

msvcrt

__dllonexit
__getmainargs
__initenv
__iob_func
__lconv_init
__set_app_type
__setusermatherr
_acmdln
_amsg_exit
_beginthreadex
_cexit
_filelengthi64
_fileno
_fmode
_fpreset
_initterm
_lock
_onexit
_unlock
_vscprintf
_vsnprintf
abort
calloc
exit
fclose
feof
ferror
fflush
fgetpos
fgets
fopen
fprintf
fread
free
fsetpos
fwrite
getenv
malloc
memcpy
realloc
signal
sprintf
strcat
strchr
strcmp
strcpy
strlen
strncmp
vfprintf

netapi32

NetApiBufferFree
NetWkstaGetInfo

ole32

CoTaskMemFree

shell32

SHFileOperationA
ShellExecuteA

user32

CreateWindowExA
DefWindowProcA
DispatchMessageA
EnumWindows
GetDC
GetDesktopWindow
GetForegroundWindow
GetKeyNameTextA
GetKeyState
GetKeyboardState
GetLastInputInfo
GetMessageA
GetSystemMetrics
GetWindowTextA
IsWindowVisible
MapVirtualKeyA
PostQuitMessage
RegisterClassExA
ReleaseDC
SendMessageA
SetCursorPos
SetWindowTextA
ShowWindow
ToAscii
TranslateMessage
keybd_event
mouse_event

ws2_32

WSACleanup
WSAGetLastError
WSAIoctl
WSAStartup
__WSAFDIsSet
closesocket
connect
gethostbyname
gethostname
htons
inet_ntoa
ioctlsocket
ntohs
recv
select
send
setsockopt
shutdown
socket

Sections

.text
Size: 75KB - Virtual size: 75KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 28KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Extracted

Signatures

Files

e1c7c518b9eed89ccdd036e87dc17f07

Headers

File Characteristics

Imports

advapi32

crypt32

gdi32

kernel32

msvcrt

netapi32

ole32

shell32

user32

ws2_32

Sections

.text Size: 75KB - Virtual size: 75KB

.data Size: 3KB - Virtual size: 2KB

.rdata Size: 9KB - Virtual size: 8KB

.pdata Size: 4KB - Virtual size: 3KB

.xdata Size: 4KB - Virtual size: 3KB

.bss Size: - Virtual size: 28KB

.idata Size: 7KB - Virtual size: 7KB

.CRT Size: 512B - Virtual size: 104B

.tls Size: 512B - Virtual size: 104B

.text
Size: 75KB - Virtual size: 75KB

.data
Size: 3KB - Virtual size: 2KB

.rdata
Size: 9KB - Virtual size: 8KB

.pdata
Size: 4KB - Virtual size: 3KB

.xdata
Size: 4KB - Virtual size: 3KB

.bss
Size: - Virtual size: 28KB

.idata
Size: 7KB - Virtual size: 7KB

.CRT
Size: 512B - Virtual size: 104B

.tls
Size: 512B - Virtual size: 104B