netwire | 682e7f4053a133c8fe08dfede3962d5af96f01dff69a72ac0b0f0ba8afc57191 | Triage

Submit
Reports

Overview

overview

Static

static

682e7f4053...91.rtf

windows7-x64

682e7f4053...91.rtf

windows10-2004-x64

Sharing

General

Target

682e7f4053a133c8fe08dfede3962d5af96f01dff69a72ac0b0f0ba8afc57191
Size

1.2MB
Sample

221003-cfr4dsdahk
MD5

6e752a28a3d4f61fb158099beab88f90
SHA1

d8c18216e718401d37a81674d4f4bb95f16742c6
SHA256

682e7f4053a133c8fe08dfede3962d5af96f01dff69a72ac0b0f0ba8afc57191
SHA512

66bad4bab339a255cded95b6a03df4c149c486deceb23c3fd55080b16d48251bc7ad4db5e5e74c95ad46deebbdbb70fa05ee6fa26ae01e56fa9a89d9ad32e1eb
SSDEEP

24576:ko+0Kiy8TOWMRIHjVK+v8GhCXjyx5VqJKnMbYbor+CzzGxp:x

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

682e7f4053a133c8fe08dfede3962d5af96f01dff69a72ac0b0f0ba8afc57191.rtf

Resource

win7-20220812-en

netwire botnet persistence rat stealer

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

682e7f4053a133c8fe08dfede3962d5af96f01dff69a72ac0b0f0ba8afc57191.rtf

Resource

win10v2004-20220812-en

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Targets

- Target
  
  682e7f4053a133c8fe08dfede3962d5af96f01dff69a72ac0b0f0ba8afc57191
- Size
  
  1.2MB
- MD5
  
  6e752a28a3d4f61fb158099beab88f90
- SHA1
  
  d8c18216e718401d37a81674d4f4bb95f16742c6
- SHA256
  
  682e7f4053a133c8fe08dfede3962d5af96f01dff69a72ac0b0f0ba8afc57191
- SHA512
  
  66bad4bab339a255cded95b6a03df4c149c486deceb23c3fd55080b16d48251bc7ad4db5e5e74c95ad46deebbdbb70fa05ee6fa26ae01e56fa9a89d9ad32e1eb
- SSDEEP
  
  24576:ko+0Kiy8TOWMRIHjVK+v8GhCXjyx5VqJKnMbYbor+CzzGxp:x
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

© 2018-2024

Terms | Privacy