netwire | e01bb0869c559b895adf1e203a1e3498aa86e676731ff810183c8a0432559fee | Triage

Submit
Reports

Overview

overview

Static

static

Set-up.exe

windows7-x64

8

Set-up.exe

windows10-2004-x64

Sharing

General

Target

Set-up.exe
Size

3.5MB
Sample

220919-pq159scgdq
MD5

6600434532f969d8fb24ee51fef331b7
SHA1

f3dc4329ded8a0ef1292bebf97611c4ad2e552fe
SHA256

e01bb0869c559b895adf1e203a1e3498aa86e676731ff810183c8a0432559fee
SHA512

109655ea6989bb15ff5f912ea37a5f92e17af52f1b5d23775d9b2a5b384e0bb9edbe7b19b77d27165b1cf1fe9dbd82fd11d68524333f3cced3d5d75e0635f394
SSDEEP

98304:kAI+zy/rv/dDXsN3RUDF/QY0VJkXZf8Bomxl3:jtzyTvVDchRsUMXZfCj3

Score

10^/10

netwire revengerat nyancatrevenge botnet discovery evasion persistence rat stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Set-up.exe

Resource

win7-20220901-en

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

Set-up.exe

Resource

win10v2004-20220812-en

netwire revengerat nyancatrevenge botnet discovery evasion persistence rat stealer trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

alice2019.myftp.biz:7575

Mutex

a4765021d3

Extracted

Family

netwire

C2

alice2019.myftp.biz:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
TEST_0000
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Targets

- Target
  
  Set-up.exe
- Size
  
  3.5MB
- MD5
  
  6600434532f969d8fb24ee51fef331b7
- SHA1
  
  f3dc4329ded8a0ef1292bebf97611c4ad2e552fe
- SHA256
  
  e01bb0869c559b895adf1e203a1e3498aa86e676731ff810183c8a0432559fee
- SHA512
  
  109655ea6989bb15ff5f912ea37a5f92e17af52f1b5d23775d9b2a5b384e0bb9edbe7b19b77d27165b1cf1fe9dbd82fd11d68524333f3cced3d5d75e0635f394
- SSDEEP
  
  98304:kAI+zy/rv/dDXsN3RUDF/QY0VJkXZf8Bomxl3:jtzyTvVDchRsUMXZfCj3
Score

10^/10

discovery netwire revengerat nyancatrevenge botnet evasion persistence rat stealer trojan
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

netwirerevengeratnyancatrevengebotnetdiscoveryevasionpersistenceratstealertrojan

© 2018-2024

Terms | Privacy