netwire | f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09 | Triage

Submit
Reports

Overview

overview

Static

static

f5d2f36d2e...09.exe

windows7-x64

f5d2f36d2e...09.exe

windows10-2004-x64

Sharing

General

Target

f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09
Size

258KB
Sample

220731-hgmsysdah9
MD5

dc0e9d999a069b736be23872cce791c6
SHA1

80ba32eaf12efd4f5e8d0d1c67c24dd86181817d
SHA256

f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09
SHA512

1b1b9ed216730516c4c98d747632d42b67e6694f9be0da3da841b6410f2dffc799867af8f40c8e75ddcf6114814e90b46fc8dc56750d74d4659518ea74a378b9

Score

10^/10

netwire botnet rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe

Resource

win7-20220718-en

netwire botnet rat stealer

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe

Resource

win10v2004-20220721-en

netwire botnet rat stealer

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

zicopele2018.sytes.net:3584

zicopele2018backup.sytes.net:3584

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
C:\Users\Admin\AppData\Roaming\Logs\
lock_executable
false
mutex
vkRChWpP
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Targets

- Target
  
  f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09
- Size
  
  258KB
- MD5
  
  dc0e9d999a069b736be23872cce791c6
- SHA1
  
  80ba32eaf12efd4f5e8d0d1c67c24dd86181817d
- SHA256
  
  f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09
- SHA512
  
  1b1b9ed216730516c4c98d747632d42b67e6694f9be0da3da841b6410f2dffc799867af8f40c8e75ddcf6114814e90b46fc8dc56750d74d4659518ea74a378b9
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Drops startup file
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetratstealer

behavioral2

netwirebotnetratstealer

© 2018-2024

Terms | Privacy