netwire | 7884f466b5060a215d695117a8c588bfbff2b8d3e9c3d4334e56fa309a4c15c1 | Triage

Submit
Reports

Overview

overview

Static

static

Hesaphareketi-01.exe

windows7-x64

Hesaphareketi-01.exe

windows10-2004-x64

Sharing

General

Target

Hesaphareketi-01.exe
Size

963KB
Sample

221111-g5t2hahgh4
MD5

cd8244fb08f75a12ab952b020273fe7d
SHA1

39cfcda727747000190d45c4d252bda28cebe3ec
SHA256

7884f466b5060a215d695117a8c588bfbff2b8d3e9c3d4334e56fa309a4c15c1
SHA512

e6b4272855d96e6b87487870137b8de474bc4867954e1fd7777fef00e7a5ce6f9ec496f9b95ef782d15bcb13d72c8e48190c4fa03a39f3c3d35bcb30f9d38388
SSDEEP

12288:2Gg7B8/lQYuVBK91o139Hmjc6Tp6Vpt3B6PC7I0Z1M/6WkwBpZfoD9H8AdH78NY:2FV2iVJ9GjTgbPI0Zl+

Score

10^/10

netwire botnet rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

Hesaphareketi-01.exe

Resource

win7-20220812-en

netwire botnet rat stealer

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

Hesaphareketi-01.exe

Resource

win10v2004-20220812-en

netwire botnet rat stealer

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

podzeye2.duckdns.org:4433

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Targets

- Target
  
  Hesaphareketi-01.exe
- Size
  
  963KB
- MD5
  
  cd8244fb08f75a12ab952b020273fe7d
- SHA1
  
  39cfcda727747000190d45c4d252bda28cebe3ec
- SHA256
  
  7884f466b5060a215d695117a8c588bfbff2b8d3e9c3d4334e56fa309a4c15c1
- SHA512
  
  e6b4272855d96e6b87487870137b8de474bc4867954e1fd7777fef00e7a5ce6f9ec496f9b95ef782d15bcb13d72c8e48190c4fa03a39f3c3d35bcb30f9d38388
- SSDEEP
  
  12288:2Gg7B8/lQYuVBK91o139Hmjc6Tp6Vpt3B6PC7I0Z1M/6WkwBpZfoD9H8AdH78NY:2FV2iVJ9GjTgbPI0Zl+
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetratstealer

behavioral2

netwirebotnetratstealer

© 2018-2024

Terms | Privacy