netwire | ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815 | Triage

Submit
Reports

Overview

overview

Static

static

ec5e55827e...15.exe

windows7-x64

ec5e55827e...15.exe

windows10-2004-x64

8

Sharing

General

Target

ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815
Size

99KB
Sample

221021-x3djqsbhg3
MD5

205819e715877fa9f0c28f80f313b360
SHA1

b2172b04ff7cf85dee45218106f354d10e100cc9
SHA256

ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815
SHA512

87be48b3f252333c81768071eb5ed833606acd7b23dc730c810e41ad44fef8a0f00c5784acda6958c66bd6bd16a9acb355f1d15ae1400c835b68a288e3169a4c
SSDEEP

3072:ulwT11JOsyobBuL7OdhR5rgGuXMQ8oWfz16xO:UwxdbBuLSdlwWoWh6xO

Score

10^/10

netwire botnet evasion persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

Resource

win7-20220901-en

netwire botnet evasion persistence rat stealer

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815.exe

Resource

win10v2004-20220812-en

evasion persistence

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815
- Size
  
  99KB
- MD5
  
  205819e715877fa9f0c28f80f313b360
- SHA1
  
  b2172b04ff7cf85dee45218106f354d10e100cc9
- SHA256
  
  ec5e55827edf95d098ae5d7731cfa6c2e43c12ff2967dba25b291c194226e815
- SHA512
  
  87be48b3f252333c81768071eb5ed833606acd7b23dc730c810e41ad44fef8a0f00c5784acda6958c66bd6bd16a9acb355f1d15ae1400c835b68a288e3169a4c
- SSDEEP
  
  3072:ulwT11JOsyobBuL7OdhR5rgGuXMQ8oWfz16xO:UwxdbBuLSdlwWoWh6xO
Score

10^/10

netwire botnet evasion persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetevasionpersistenceratstealer

behavioral2

evasionpersistence

© 2018-2024

Terms | Privacy