netwire | 842ad6e2178d34dd7c823fbee5379873172dbc85d5f2844c24f11ea536096999 | Triage

Submit
Reports

Overview

overview

Static

static

PL & CL IN...93.exe

windows7-x64

7

PL & CL IN...93.exe

windows10-2004-x64

Sharing

General

Target

PL & CL INV08387493.exe
Size

1.0MB
Sample

220902-pewreadffn
MD5

78e5c06c3b4a4f96a266672092b05556
SHA1

32083828685d58ff385cc89989201c165922c178
SHA256

842ad6e2178d34dd7c823fbee5379873172dbc85d5f2844c24f11ea536096999
SHA512

c7e8e5a2a2db6f9395fb01a4855de5996f80facf90d368ca22c3009612d9688b96a107ed12efcee5f30014dbec7617743c9235d1099f026719871f1fc41a97ef
SSDEEP

24576:iZ503X34ojAZqhZSBhdDU+ZCowOyOXY+mzo3bv:k50ooQ8abUMrlmzM

Score

10^/10

netwire botnet rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

PL & CL INV08387493.exe

Resource

win7-20220901-en

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

PL & CL INV08387493.exe

Resource

win10v2004-20220901-en

netwire botnet rat stealer

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

podzeye2.duckdns.org:4433

podzeye2.duckdns.org:4411

podzeye2.duckdns.org:4422

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Targets

- Target
  
  PL & CL INV08387493.exe
- Size
  
  1.0MB
- MD5
  
  78e5c06c3b4a4f96a266672092b05556
- SHA1
  
  32083828685d58ff385cc89989201c165922c178
- SHA256
  
  842ad6e2178d34dd7c823fbee5379873172dbc85d5f2844c24f11ea536096999
- SHA512
  
  c7e8e5a2a2db6f9395fb01a4855de5996f80facf90d368ca22c3009612d9688b96a107ed12efcee5f30014dbec7617743c9235d1099f026719871f1fc41a97ef
- SSDEEP
  
  24576:iZ503X34ojAZqhZSBhdDU+ZCowOyOXY+mzo3bv:k50ooQ8abUMrlmzM
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

netwirebotnetratstealer

© 2018-2024

Terms | Privacy