netwire | 5c61b30352d1b30b2dcb1a52b5180e11278e06c33e91bbb89b2c819e13358c27 | Triage

Submit
Reports

Overview

overview

Static

static

IM202208.exe

windows7-x64

3

IM202208.exe

windows10-2004-x64

Sharing

General

Target

IM202208198850.JPG.IMG
Size

1.2MB
Sample

220819-lm1hsaecg6
MD5

c5ba11a890e0666144d4ed080571323a
SHA1

8a501f14a8c584f5eb90b919f3e6bc943efc7c98
SHA256

5c61b30352d1b30b2dcb1a52b5180e11278e06c33e91bbb89b2c819e13358c27
SHA512

0614e8f3baa890350e80c06466d555f4d90cd1ea5ad3c0faf37017536c5f236add36d206590d8743e799ff6eeb33d8a6a5d8ad7d17cf43a9ac62b9246c1f25a3
SSDEEP

24576:GCuCMuw1eDV84Njaw7laCPIFDum+y2eN:qjenNL7lboOyt

Score

10^/10

netwire botnet rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

IM202208.exe

Resource

win7-20220812-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

IM202208.exe

Resource

win10v2004-20220812-en

netwire botnet rat stealer

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:3363

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password@2
registry_autorun
false
use_mutex
false

Targets

- Target
  
  IM202208.EXE
- Size
  
  727KB
- MD5
  
  c1ca174fbfc7936f8d9d0aad755f29cf
- SHA1
  
  16ad7f314c9c2742886523ac256fbb4a5f4bfdb0
- SHA256
  
  d08f75542680080f9d3393fc3bb0ced3c30335db5030c1f38a8d7a7aadb15794
- SHA512
  
  e2ff294837639043c1b24cfee2eae281284ac9a563ad5e8d31a8ce7538f60447cb747508021b98326a78923e99159109fc908c390a8f3d570d7d91b6d24fa280
- SSDEEP
  
  12288:YcmeuEHslgDaK6nyfAt1eDFZByVxc/Njaw7lTUnCPIvFWzkGI+3mSaEy2eeKA:YCuCMuw1eDV84Njaw7laCPIFDum+y2eN
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

netwirebotnetratstealer

© 2018-2024

Terms | Privacy