netwire

General

Target

b9074d0cd7ac7ce88dfcf67a6bd012215bdc2c7a84b9d0b62431d14fe86acbfc
Size

636KB
Sample

220725-dqwp1acch9
MD5

f23069902a2ecea262d4b5e1d5565079
SHA1

d144413478b84a3366c8ea31202fc7dac2020a94
SHA256

b9074d0cd7ac7ce88dfcf67a6bd012215bdc2c7a84b9d0b62431d14fe86acbfc
SHA512

6da53e3b9206eac0147db11212c7f20498333597006e6c216869c087e825a9ede9232dac6637c86858bd18e38ab10d1533e667862c09bcdbf6b783bb6037a9dc

Score

10^/10

Malware Config

Extracted

Family

netwire

C2

185.244.30.177:8973

Attributes

activex_autorun
true
activex_key
{256C14W2-4307-17L5-O833-2WK3KRN38HN2}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
true
startup_name
windows1
use_mutex
false

Targets

- Target
  
  b9074d0cd7ac7ce88dfcf67a6bd012215bdc2c7a84b9d0b62431d14fe86acbfc
- Size
  
  636KB
- MD5
  
  f23069902a2ecea262d4b5e1d5565079
- SHA1
  
  d144413478b84a3366c8ea31202fc7dac2020a94
- SHA256
  
  b9074d0cd7ac7ce88dfcf67a6bd012215bdc2c7a84b9d0b62431d14fe86acbfc
- SHA512
  
  6da53e3b9206eac0147db11212c7f20498333597006e6c216869c087e825a9ede9232dac6637c86858bd18e38ab10d1533e667862c09bcdbf6b783bb6037a9dc
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

NetWire RAT payload

Executes dropped EXE

Modifies Installed Components in the registry

Loads dropped DLL

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2