netwire | 67f5ddf21cf15cefce056ddbe7bbcb3a3a7cd3551c0c1aec77360de58d820786 | Triage

Submit
Reports

Overview

overview

Static

static

c3da75b396...83.exe

windows7-x64

c3da75b396...83.exe

windows10-2004-x64

Sharing

General

Target

c3da75b39650dd66fa445a7a120b6383.exe
Size

1.2MB
Sample

220922-mpyyeabcb5
MD5

c3da75b39650dd66fa445a7a120b6383
SHA1

22e7e85a8ba70a9d5e4c1cfb74365418ef5f45fe
SHA256

67f5ddf21cf15cefce056ddbe7bbcb3a3a7cd3551c0c1aec77360de58d820786
SHA512

a6e6cf1b95a314bc3bf81cee1aadc3657df3d40dba3518480cbe1e121cda6dc3a8a50cc3e3f5d13188a788783db612c1b1d51d3652c92de865a2ed8ca555bac4
SSDEEP

24576:MAOcZXgZd9/IhSnxay31+k97w84cKSVlioyvt1qztey4Zodu:a3YSMA1+YUcKsscey4Zh

Score

10^/10

netwire botnet collection persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

c3da75b39650dd66fa445a7a120b6383.exe

Resource

win7-20220812-en

netwire botnet collection persistence rat spyware stealer

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

c3da75b39650dd66fa445a7a120b6383.exe

Resource

win10v2004-20220812-en

netwire botnet collection persistence rat spyware stealer

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  c3da75b39650dd66fa445a7a120b6383.exe
- Size
  
  1.2MB
- MD5
  
  c3da75b39650dd66fa445a7a120b6383
- SHA1
  
  22e7e85a8ba70a9d5e4c1cfb74365418ef5f45fe
- SHA256
  
  67f5ddf21cf15cefce056ddbe7bbcb3a3a7cd3551c0c1aec77360de58d820786
- SHA512
  
  a6e6cf1b95a314bc3bf81cee1aadc3657df3d40dba3518480cbe1e121cda6dc3a8a50cc3e3f5d13188a788783db612c1b1d51d3652c92de865a2ed8ca555bac4
- SSDEEP
  
  24576:MAOcZXgZd9/IhSnxay31+k97w84cKSVlioyvt1qztey4Zodu:a3YSMA1+YUcKsscey4Zh
Score

10^/10

netwire botnet collection persistence rat spyware stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetcollectionpersistenceratspywarestealer

behavioral2

netwirebotnetcollectionpersistenceratspywarestealer

© 2018-2024

Terms | Privacy