netwire | ac2eca59498f5324d3166d7ac8c3d3920fd3f4f7efc6bb4424a90d6fb5463d85 | Triage

Submit
Reports

Overview

overview

Static

static

TAX INVOICE.xlsm

windows7-x64

TAX INVOICE.xlsm

windows10-2004-x64

Sharing

General

Target

TAX INVOICE.xlsm
Size

42KB
Sample

220810-kjml3shfc4
MD5

01b773033342534fdb00532c2fccbd96
SHA1

d5842b04ae46d80240557b6238884df5b6243d3c
SHA256

ac2eca59498f5324d3166d7ac8c3d3920fd3f4f7efc6bb4424a90d6fb5463d85
SHA512

be43beeaa045d70aff287ab2ccd386ac2f869990793cdccb67956cbf8730ff6c83299904b0a2839d890e960804d111b1506b0d159c920009641d94661b295126

Score

10^/10

netwire botnet rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

TAX INVOICE.xlsm

Resource

win7-20220718-en

netwire botnet rat stealer

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

TAX INVOICE.xlsm

Resource

win10v2004-20220721-en

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

194.5.98.188:3364

194.5.98.188:3366

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
j5m52xuc
registry_autorun
false
use_mutex
false

Targets

- Target
  
  TAX INVOICE.xlsm
- Size
  
  42KB
- MD5
  
  01b773033342534fdb00532c2fccbd96
- SHA1
  
  d5842b04ae46d80240557b6238884df5b6243d3c
- SHA256
  
  ac2eca59498f5324d3166d7ac8c3d3920fd3f4f7efc6bb4424a90d6fb5463d85
- SHA512
  
  be43beeaa045d70aff287ab2ccd386ac2f869990793cdccb67956cbf8730ff6c83299904b0a2839d890e960804d111b1506b0d159c920009641d94661b295126
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetratstealer

behavioral2

© 2018-2024

Terms | Privacy