netwire | 8dc073cc9c71f0ef0e77d8942a776886d3913d6c44d0348c363ba582c1d89143 | Triage

Submit
Reports

Overview

overview

Static

static

8DC073CC9C...03.exe

windows7-x64

8

8DC073CC9C...03.exe

windows10-2004-x64

Sharing

General

Target

8DC073CC9C71F0EF0E77D8942A776886D3913D6C44D03.exe
Size

3.0MB
Sample

220904-gkxlwsbadm
MD5

76dcf81a67e2661ad35a3270b38f7513
SHA1

fa7b809286f880f938529680fe9ac15f1af4cd6c
SHA256

8dc073cc9c71f0ef0e77d8942a776886d3913d6c44d0348c363ba582c1d89143
SHA512

50e33272e6d086e13175119052fac0d614649d200ea40dcc18a6bb7702281ebaaf3135bdd5903d0efc4422122174f863cbbd49060b46a8f8a8924faf83ebbd4a
SSDEEP

49152:kAI+tes2jTe59++yYZSk55P/eRK+FuuI9xYJdn5tvkRo8u4Cfyqv:kAI+tx2v8AYZSkGRK0uuIozzvk0v

Score

10^/10

netwire botnet discovery evasion persistence rat stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

8DC073CC9C71F0EF0E77D8942A776886D3913D6C44D03.exe

Resource

win7-20220901-en

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

8DC073CC9C71F0EF0E77D8942A776886D3913D6C44D03.exe

Resource

win10v2004-20220812-en

netwire botnet discovery evasion persistence rat stealer trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

alice2019.myftp.biz:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
TEST_4040
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Targets

- Target
  
  8DC073CC9C71F0EF0E77D8942A776886D3913D6C44D03.exe
- Size
  
  3.0MB
- MD5
  
  76dcf81a67e2661ad35a3270b38f7513
- SHA1
  
  fa7b809286f880f938529680fe9ac15f1af4cd6c
- SHA256
  
  8dc073cc9c71f0ef0e77d8942a776886d3913d6c44d0348c363ba582c1d89143
- SHA512
  
  50e33272e6d086e13175119052fac0d614649d200ea40dcc18a6bb7702281ebaaf3135bdd5903d0efc4422122174f863cbbd49060b46a8f8a8924faf83ebbd4a
- SSDEEP
  
  49152:kAI+tes2jTe59++yYZSk55P/eRK+FuuI9xYJdn5tvkRo8u4Cfyqv:kAI+tx2v8AYZSkGRK0uuIozzvk0v
Score

10^/10

discovery netwire botnet evasion persistence rat stealer trojan
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Windows security bypass
  evasion trojan
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

netwirebotnetdiscoveryevasionpersistenceratstealertrojan

© 2018-2024

Terms | Privacy