netwire | cd592c969a3a940e43888a1902ec9e4605ed28676d3945ab84d72175fbc87253 | Triage

Sharing

General

Target

circular_29092022.iso
Size

768KB
Sample

221014-wbp8sadhgq
MD5

b5bdf09f5f778b14f1eb4bb5a77209b6
SHA1

eca3b1d788a473c8336d8c5a9719bfb74ae01d38
SHA256

cd592c969a3a940e43888a1902ec9e4605ed28676d3945ab84d72175fbc87253
SHA512

f5ac111382f8e177bef7adb46cde3cbd942242b13265bcf465386abd97d670f0cf1b519df7b624ebae6ac5d200d7a2f8f954e9a35487cf36a0a5cab3e4d4e654
SSDEEP

12288:1QeS5W5CtoNFZj4QySHYca0UjzVDFKH3ox5y3:1QeScotGj4Q3a0U/VDFKXa58

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

54.145.6.146:443

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
MSOffice-%Rand%
lock_executable
false
mutex
IERXehpS
offline_keylogger
false
password
a1cap0ne@1960s
registry_autorun
false
use_mutex
false

Targets

- Target
  
  NisSrv.exe
- Size
  
  584KB
- MD5
  
  85f14631181a8867a2d41122482ba8dc
- SHA1
  
  8e2f2bce824c97cb8dd83c1736cd1de6897bb054
- SHA256
  
  bbcca0dc10b700c01e557612f009c050ca618f227e0b8be3d4f471dd9d887a18
- SHA512
  
  aec36afdc33880622492010ed028e679778abb8470a8e9517f8c241de0f8a158da3ce1c767e7671b5aab14c77624009e05af35472eb0d6c2e411918756f4d855
- SSDEEP
  
  6144:6toWmFzltNCF9NuUzSa3YYcahynDzcjzH1DFKH3oGu8EdoXRXHd:6toNFZj4QySHYca0UjzVDFKH3ox5y3
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  circular_29092022.pdf
- Size
  
  116KB
- MD5
  
  c380b1ebfbfd0e56943e8ec8c152c6cb
- SHA1
  
  7e4902014f9f120b3d0af38334373ce50a9f8aef
- SHA256
  
  24d66e168fd7712944e3a9ddf9589299a7f85d079859fa61ad9cdd90e7ef1d80
- SHA512
  
  5cd095b2a4d0bacf2a6327284d4cb8dc3e1349daa2bdadb9a189f19ded66e26fd7cfcd92a77df816cd8e34ed4b4d5280e77fc5e5779bc6270d09343cb7f01991
- SSDEEP
  
  3072:eQoleWGZQ5lpmmeS5tBDbJbY35OiJ9Hq+rvbB:oo8heS5tZJbYJl4+J
Score

1^/10
behavioral3 behavioral4
- Target
  
  circular_29092022.pdf.lnk
- Size
  
  2KB
- MD5
  
  9401c4021ce5ae57da50eb7fddfff950
- SHA1
  
  ec7f933174448b63b979027e79192e3127c8b5f4
- SHA256
  
  7259f69b075b7d849d7d0e300fe1d63057372aaedd07223de2d6b4023f5bf48c
- SHA512
  
  5458c93f60ef207954fb17a750e692fcf738013a85d92898ea284b190aab4ce84ad4dc30a58562094567da483e041347036c1c557fd6d9c05241cb256033996e
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral5 behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

netwirebotnetratstealer

behavioral3

behavioral4

behavioral5

behavioral6

netwirebotnetratstealer