netwire | a2a0a4b91cbcf08126c70586521d2e7a0d6cf744058c314ffced7bdce97a40a1 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

Payment co...on.exe

windows7-x64

Payment co...on.exe

windows10-2004-x64

Sharing

General

Target

Payment confirmation.exe
Size

794KB
Sample

220920-jh4njafhdm
MD5

d2e1541ec3a29b282d6b0695f4d223af
SHA1

31e6d8ebcfb269cb6ec3422439633bc14eb22ea6
SHA256

a2a0a4b91cbcf08126c70586521d2e7a0d6cf744058c314ffced7bdce97a40a1
SHA512

86844a6d7f84b1852873f5eec28ce7b60e2d381d83b4bb25052593adfa6e5f1d1b35d6df2e4bf949f570a86b9905ac34c45fc27680e0869ee7b24c6351f0fa8f
SSDEEP

12288:U91Rix5fEFksZMpJqB61ap5a0kAh8ZwQmiiyqADqjJ5n:UifEFkfJoi0k4E7mkMjr

Score

10^/10

netwire botnet rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

Payment confirmation.exe

Resource

win7-20220901-en

netwire botnet rat stealer

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

Payment confirmation.exe

Resource

win10v2004-20220812-en

netwire botnet rat stealer

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

37.0.14.214:3346

37.0.14.214:4478

37.0.14.214:3469

37.0.14.214:3565

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
offline_keylogger
true
password
move4ward
registry_autorun
false
use_mutex
false

Targets

- Target
  
  Payment confirmation.exe
- Size
  
  794KB
- MD5
  
  d2e1541ec3a29b282d6b0695f4d223af
- SHA1
  
  31e6d8ebcfb269cb6ec3422439633bc14eb22ea6
- SHA256
  
  a2a0a4b91cbcf08126c70586521d2e7a0d6cf744058c314ffced7bdce97a40a1
- SHA512
  
  86844a6d7f84b1852873f5eec28ce7b60e2d381d83b4bb25052593adfa6e5f1d1b35d6df2e4bf949f570a86b9905ac34c45fc27680e0869ee7b24c6351f0fa8f
- SSDEEP
  
  12288:U91Rix5fEFksZMpJqB61ap5a0kAh8ZwQmiiyqADqjJ5n:UifEFkfJoi0k4E7mkMjr
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetratstealer

behavioral2

netwirebotnetratstealer

© 2018-2025

Terms | Privacy