netwire | c0dd3a6e05143884e774dc66865b540541c944c0f885a2b3ece43db13d15e9c4 | Triage

Submit
Reports

Overview

overview

Static

static

proof of payment.exe

windows7-x64

proof of payment.exe

windows10-2004-x64

Sharing

General

Target

c0dd3a6e05143884e774dc66865b540541c944c0f885a2b3ece43db13d15e9c4
Size

1.1MB
Sample

220731-nsqa4sfdbr
MD5

41f346ad9f14c4e55659b17967eb7bec
SHA1

771bd391f475460cd74c0b6af200ea42921daf95
SHA256

c0dd3a6e05143884e774dc66865b540541c944c0f885a2b3ece43db13d15e9c4
SHA512

d9aa2f856c9e255985bc3a74abcba4a5de43f20b4ca1907333b6a41ef893818abc05a478014bb496eaf1b27fe809cd98b78b4ec63ab601b754a88f0fc834b848

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

proof of payment.exe

Resource

win7-20220715-en

netwire botnet persistence rat stealer

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

proof of payment.exe

Resource

win10v2004-20220721-en

netwire botnet persistence rat stealer

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

185.244.31.108:3340

91.189.180.199:3362

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Soweto3000
registry_autorun
false
use_mutex
false

Targets

- Target
  
  proof of payment.exe
- Size
  
  1.3MB
- MD5
  
  39b4b2215fa87ab9817e66c05563f3d6
- SHA1
  
  454d37c98ee8ba8966e186e82dda11bec004d3c0
- SHA256
  
  783ed74b60bdd963e8b98dd9fd4914945f475dc1da1049a506d26bb0857357b1
- SHA512
  
  f6341cfd84f04db032fab87d2dfe71af5148decbc69045b723e4487e39fc1d9b2c55199432fb055b6d135baf15076147458dfb81503eb3bd0562d97415aae77a
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy