netwire | 87ce6467d71023d696315cd06d578f2a17218012beba5502744779614fc67f08 | Triage

Submit
Reports

Overview

overview

Static

static

Proof of payment.exe

windows7-x64

Proof of payment.exe

windows10-2004-x64

Sharing

General

Target

Proof of payment.exe
Size

796KB
Sample

220920-snfy4ahbam
MD5

4f1dde6a0e85ec1f25111ff2e89dd9b8
SHA1

1500830e31d710531398faec93e0d72ce5ff3f22
SHA256

87ce6467d71023d696315cd06d578f2a17218012beba5502744779614fc67f08
SHA512

1eaf18e562b52d293eed3ed0c61d9a077c3d8b12a08c86f8bf44a3d93b5d34fa515db5cbd3b9d22e7015c7279bf6573cbd7e0fb17987cee4b560955931b5949b
SSDEEP

12288:hJp7/xpfrKI9Ne/flL3MICFcG52Kh2mIDQfdADqjJ5n:9vfr1kN3NCWGT6Qljr

Score

10^/10

netwire botnet evasion rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

Proof of payment.exe

Resource

win7-20220812-en

netwire botnet evasion rat stealer

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

Proof of payment.exe

Resource

win10v2004-20220812-en

netwire botnet evasion rat stealer

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

37.0.14.214:3346

37.0.14.214:4478

37.0.14.214:3469

37.0.14.214:3565

37.0.14.214:3360

37.0.14.214:5589

37.0.14.214:6425

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
offline_keylogger
true
password
move4ward
registry_autorun
false
use_mutex
false

Targets

- Target
  
  Proof of payment.exe
- Size
  
  796KB
- MD5
  
  4f1dde6a0e85ec1f25111ff2e89dd9b8
- SHA1
  
  1500830e31d710531398faec93e0d72ce5ff3f22
- SHA256
  
  87ce6467d71023d696315cd06d578f2a17218012beba5502744779614fc67f08
- SHA512
  
  1eaf18e562b52d293eed3ed0c61d9a077c3d8b12a08c86f8bf44a3d93b5d34fa515db5cbd3b9d22e7015c7279bf6573cbd7e0fb17987cee4b560955931b5949b
- SSDEEP
  
  12288:hJp7/xpfrKI9Ne/flL3MICFcG52Kh2mIDQfdADqjJ5n:9vfr1kN3NCWGT6Qljr
Score

10^/10

netwire botnet evasion rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Looks for VirtualBox Guest Additions in registry
  evasion
- Executes dropped EXE
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetevasionratstealer

behavioral2

netwirebotnetevasionratstealer

© 2018-2024

Terms | Privacy