netwire | a8a14ce7828e2b535969dacda21098712fdb541c1f0ffeae29423b3779a5eecd | Triage

Submit
Reports

Overview

overview

Static

static

Screenshot_06.scr

windows7-x64

Screenshot_06.scr

windows10-2004-x64

Sharing

General

Target

ecbec00a4881e64b82410c814ef12c12-sample.zip
Size

271KB
Sample

220914-szsr2aedep
MD5

aa43e96ee33fd21d86c4e64c70b6cfb2
SHA1

e9a8730a440338f7e112d6e99defff67b44bac85
SHA256

a8a14ce7828e2b535969dacda21098712fdb541c1f0ffeae29423b3779a5eecd
SHA512

f6d1d5b1891d29354123b54066922dc81465b107e9853f0898bbb2fe7b02b6f6ec2adf5acf7a40f37d8049b6df49f64442b938ed6b6c55d53d2649cb48148fb1
SSDEEP

6144:W5941BQwL5HHsji+6dU+92rC2BuH3NZY3Lxmzmy/Ywp7EB9NJKoJ:W5y1TL9q6+C2BIZkNmz//wNJlJ

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

Screenshot_06.scr

Resource

win7-20220812-en

netwire botnet persistence rat stealer

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

Screenshot_06.scr

Resource

win10v2004-20220812-en

netwire botnet persistence rat stealer

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

iphanyi.edns.biz:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
RDP_SEPT_2022
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
caster123
registry_autorun
false
use_mutex
false

Targets

- Target
  
  Screenshot_06.scr
- Size
  
  280KB
- MD5
  
  1ed5bcc01a8089fd6e3085a78e4956a7
- SHA1
  
  461fd6a2f8e29ebaf1f7e61f05ce1fe4ae4bca10
- SHA256
  
  31ea489cce90c230fba6c502d97bd1fb804f881194e4ee516fc29c8b27b10cc1
- SHA512
  
  e69959d5be1e1239f6903ff1a8a22379ee2fd9cba56231ae5dfc8f6cf39858601bf02152d903daeddfcc9335a2cb54ec38c030c9cb3017ef5f13f66a130c7621
- SSDEEP
  
  6144:cvhvCENP+urb1AlE72pkTbZi/02De/Tj58jaBWtZ1mG:CcbQUk5RwMTjkaBaz
Score

10^/10

netwire botnet persistence rat stealer
- Modifies WinLogon for persistence
  persistence
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy