netwire | abb0ca8ed8cb040eb69d4837c26fca5efe130711346859b86641b45da7de31b6 | Triage

Submit
Reports

Overview

overview

Static

static

Document Payment.js

windows7-x64

8

Document Payment.js

windows10-2004-x64

Sharing

General

Target

Document Payment.js
Size

252KB
Sample

221107-vj5g1ahac2
MD5

76c1c36c47ced1f2e3c9528b4a45fc42
SHA1

bf8e742e9e99d7814988dadc809847c624d098ed
SHA256

abb0ca8ed8cb040eb69d4837c26fca5efe130711346859b86641b45da7de31b6
SHA512

066c4d3508b3c3c816c0909eb1c20fed76d908b4f94fa36e36dff2711515f63ae41cad0bc5a971fa4bda2162014f853fb4d8a9fa809d14afb9fd56a0d834fe8a
SSDEEP

1536:B4QRV0AphDu3651pCC6T5IYx9btSutuiLL5dve/OC67OMOMM8hMM/0m6tWcSukqE:BnTeK1qRfOgkKtlQi

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

Document Payment.js

Resource

win7-20220812-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

Document Payment.js

Resource

win10v2004-20220812-en

netwire botnet persistence rat stealer

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  Document Payment.js
- Size
  
  252KB
- MD5
  
  76c1c36c47ced1f2e3c9528b4a45fc42
- SHA1
  
  bf8e742e9e99d7814988dadc809847c624d098ed
- SHA256
  
  abb0ca8ed8cb040eb69d4837c26fca5efe130711346859b86641b45da7de31b6
- SHA512
  
  066c4d3508b3c3c816c0909eb1c20fed76d908b4f94fa36e36dff2711515f63ae41cad0bc5a971fa4bda2162014f853fb4d8a9fa809d14afb9fd56a0d834fe8a
- SSDEEP
  
  1536:B4QRV0AphDu3651pCC6T5IYx9btSutuiLL5dve/OC67OMOMM8hMM/0m6tWcSukqE:BnTeK1qRfOgkKtlQi
Score

10^/10

netwire botnet persistence rat stealer
- Modifies WinLogon for persistence
  persistence
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy