Extracted

• • Target

    647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c

  • Size

    1.2MB

  • MD5

    1bea501f52f6075bb7ca051ad4454e8c

  • SHA1

    73f2f06dfa4a91bda577df01ac6b55189126f9ed

  • SHA256

    647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c

  • SHA512

    130ad7fd52c0f72fbb4bc13387bcc2d36d4dede4f2000bf2bba4d5a1f97f4e0ff71b18541179264be5e0502a2584444766c1e564fb90ba2623ed4875c9e78dde

  Score

  10^/10

  evasionpersistencenetwirebotnetratstealer

  • NetWire RAT payload

    rat

  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire

  • Disables Task Manager via registry modification

    evasion

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2