netwire | 288719cc7ce53a7dc829be4a5d261e0c9229aca9097b72bea018fa7c9aa84000 | Triage

Submit
Reports

Overview

overview

Static

static

5

16f098e9ce...9d.exe

windows7-x64

16f098e9ce...9d.exe

windows10-2004-x64

Sharing

General

Target

16f098e9ce7d2c6c0575af51f9dc139d.exe
Size

904KB
Sample

220827-3e4c5sade5
MD5

16f098e9ce7d2c6c0575af51f9dc139d
SHA1

19982bb99284f8ba1d0dfb70356a36b798cf7210
SHA256

288719cc7ce53a7dc829be4a5d261e0c9229aca9097b72bea018fa7c9aa84000
SHA512

44535ec96b64d047055018661679e12632113fd3238b3492b6dcc730e1a78b4028deca62d529370e0e3b089984080d4477047bda4ac6a762da14573dcdf8125f
SSDEEP

12288:7aWzgMg7v3qnCiuErQohh0F4JCJ8lnyOcSyck41PNvDWpWTis+0Vz7w:OaHMv6CyrjtnyOcS5k8DWpSnw

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

16f098e9ce7d2c6c0575af51f9dc139d.exe

Resource

win7-20220812-en

netwire botnet persistence rat stealer

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

16f098e9ce7d2c6c0575af51f9dc139d.exe

Resource

win10v2004-20220812-en

netwire botnet persistence rat stealer

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

musaad1995-60255.portmap.host:60255

Attributes

activex_autorun
false
activex_key
{0Q55O7T5-7PG8-1407-8Y6O-8DDRN68HAD86}
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Local\Microsoft\OneDrive\OneDrive.exe
keylogger_dir
OneDrive.lnk
lock_executable
false
mutex
vMnKWPIY
offline_keylogger
false
password
999000
registry_autorun
false
use_mutex
false

Targets

- Target
  
  16f098e9ce7d2c6c0575af51f9dc139d.exe
- Size
  
  904KB
- MD5
  
  16f098e9ce7d2c6c0575af51f9dc139d
- SHA1
  
  19982bb99284f8ba1d0dfb70356a36b798cf7210
- SHA256
  
  288719cc7ce53a7dc829be4a5d261e0c9229aca9097b72bea018fa7c9aa84000
- SHA512
  
  44535ec96b64d047055018661679e12632113fd3238b3492b6dcc730e1a78b4028deca62d529370e0e3b089984080d4477047bda4ac6a762da14573dcdf8125f
- SSDEEP
  
  12288:7aWzgMg7v3qnCiuErQohh0F4JCJ8lnyOcSyck41PNvDWpWTis+0Vz7w:OaHMv6CyrjtnyOcS5k8DWpSnw
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy