netwire | 67b10001ec5c141e48e61d73c2c4d8c2c1170eecfbe8732ea5b3069d6cd333b0 | Triage

Submit
Reports

Overview

overview

Static

static

3f153b9bfc...a6.exe

windows7-x64

3f153b9bfc...a6.exe

windows10-2004-x64

Resubmissions

03-10-2022 03:29

221003-d16mysffak 10

29-09-2022 20:32

220929-za94cachbm 1

Sharing

General

Target

3f153b9bfc044bb0c370cabd0496c8a6.exe
Size

1.1MB
Sample

221003-d16mysffak
MD5

3f153b9bfc044bb0c370cabd0496c8a6
SHA1

f98e3e3a0f5fc735f7167367fa272b5365595548
SHA256

67b10001ec5c141e48e61d73c2c4d8c2c1170eecfbe8732ea5b3069d6cd333b0
SHA512

a53caea88f5719ec51abbfa119aa4cfd0df9a4d90acd33356008bcfba2c45bdf60a6bacc69512969367dcc86c388da2d017bc1a7bfaed6c7cb1dc18fcf483982
SSDEEP

24576:MAOcZXgZd9/37Y0W8AHei8Jluw0ixrZYZj7w84cKSVlioyvt1qztey4ZodO:a3X7DLJYLilZYZjUcKsscey4Z7

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

3f153b9bfc044bb0c370cabd0496c8a6.exe

Resource

win7-20220812-en

netwire botnet persistence rat stealer

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

3f153b9bfc044bb0c370cabd0496c8a6.exe

Resource

win10v2004-20220901-en

netwire botnet persistence rat stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  3f153b9bfc044bb0c370cabd0496c8a6.exe
- Size
  
  1.1MB
- MD5
  
  3f153b9bfc044bb0c370cabd0496c8a6
- SHA1
  
  f98e3e3a0f5fc735f7167367fa272b5365595548
- SHA256
  
  67b10001ec5c141e48e61d73c2c4d8c2c1170eecfbe8732ea5b3069d6cd333b0
- SHA512
  
  a53caea88f5719ec51abbfa119aa4cfd0df9a4d90acd33356008bcfba2c45bdf60a6bacc69512969367dcc86c388da2d017bc1a7bfaed6c7cb1dc18fcf483982
- SSDEEP
  
  24576:MAOcZXgZd9/37Y0W8AHei8Jluw0ixrZYZj7w84cKSVlioyvt1qztey4ZodO:a3X7DLJYLilZYZjUcKsscey4Z7
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy