netwire | e16665207a7040752753e23815225e18aef8811a12bcef662f17bda9956ef076 | Triage

Submit
Reports

Overview

overview

Static

static

Hesaphareketi-01.exe

windows7-x64

9

Hesaphareketi-01.exe

windows10-2004-x64

Sharing

General

Target

Hesaphareketi-01.exe
Size

89KB
Sample

220905-pf13hsggcj
MD5

bad42e908830728792ab8e29baa24cba
SHA1

598ebd86fc494867f023fe72ccdfe11ad307bfed
SHA256

e16665207a7040752753e23815225e18aef8811a12bcef662f17bda9956ef076
SHA512

088c861d5ff2b3abbbc415879e860d066efd95b42cb003195dd2bbf8c4b5aeac880ce87462e9b7b36ff98c177dcb22e91854fa2958bdede986a5cf30775c22d1
SSDEEP

384:KAe/O7/HyORHvJduRKo6nCo7DYfmWTnLDBJNTmpGEq53K/VJADpbKxYC5nBJf13g:cOjSOdRduRKvnCo7DYfmWzHMpVJTXo

Score

10^/10

netwire botnet discovery persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

Hesaphareketi-01.exe

Resource

win7-20220901-en

windows7-x64

2 signatures

150 seconds

Behavioral task

behavioral2

Sample

Hesaphareketi-01.exe

Resource

win10v2004-20220812-en

netwire botnet persistence rat stealer

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

bigman2021.duckdns.org:3303

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Targets

- Target
  
  Hesaphareketi-01.exe
- Size
  
  89KB
- MD5
  
  bad42e908830728792ab8e29baa24cba
- SHA1
  
  598ebd86fc494867f023fe72ccdfe11ad307bfed
- SHA256
  
  e16665207a7040752753e23815225e18aef8811a12bcef662f17bda9956ef076
- SHA512
  
  088c861d5ff2b3abbbc415879e860d066efd95b42cb003195dd2bbf8c4b5aeac880ce87462e9b7b36ff98c177dcb22e91854fa2958bdede986a5cf30775c22d1
- SSDEEP
  
  384:KAe/O7/HyORHvJduRKo6nCo7DYfmWTnLDBJNTmpGEq53K/VJADpbKxYC5nBJf13g:cOjSOdRduRKvnCo7DYfmWzHMpVJTXo
Score

10^/10

discovery netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Network Service Scanning

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy