netwire | c0ca12020d7bf51209e7ac026fdfd71f55b97053985b061de24879069c96910c | Triage

Submit
Reports

Overview

overview

Static

static

Tax Invoice.xlsm

windows7-x64

1

Tax Invoice.xlsm

windows10-2004-x64

Sharing

General

Target

Tax Invoice.xlsm
Size

42KB
Sample

221117-fhrr7adf88
MD5

1a5f56600a34c20305f85f2cd0fdfbdf
SHA1

d37b42fd8d23e2fbdaebb55012fd028525e4e72c
SHA256

c0ca12020d7bf51209e7ac026fdfd71f55b97053985b061de24879069c96910c
SHA512

630cf26791900e941843a5e94308031c1e3dab8f60836e395e06f2c0a5fd11bf2beac5115429068276ff9fe1ffdb07d3a49b24029911da8016d490aadcc331d8
SSDEEP

768:IvjsCvCssn3uBIJYfTH+niSpKvDH7Nv+nWhFFiKk/f7qtNhTxRB+nE2g7d:IvDvCT3uG1ByT7Nv+qFFi3/jqLxxyE2g

Score

10^/10

netwire botnet rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

Tax Invoice.xlsm

Resource

win7-20221111-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

Tax Invoice.xlsm

Resource

win10v2004-20220812-en

netwire botnet rat stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:3345

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password@9
registry_autorun
false
use_mutex
false

Targets

- Target
  
  Tax Invoice.xlsm
- Size
  
  42KB
- MD5
  
  1a5f56600a34c20305f85f2cd0fdfbdf
- SHA1
  
  d37b42fd8d23e2fbdaebb55012fd028525e4e72c
- SHA256
  
  c0ca12020d7bf51209e7ac026fdfd71f55b97053985b061de24879069c96910c
- SHA512
  
  630cf26791900e941843a5e94308031c1e3dab8f60836e395e06f2c0a5fd11bf2beac5115429068276ff9fe1ffdb07d3a49b24029911da8016d490aadcc331d8
- SSDEEP
  
  768:IvjsCvCssn3uBIJYfTH+niSpKvDH7Nv+nWhFFiKk/f7qtNhTxRB+nE2g7d:IvDvCT3uG1ByT7Nv+qFFi3/jqLxxyE2g
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

netwirebotnetratstealer

© 2018-2024

Terms | Privacy