netwire | 63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e | Triage

Submit
Reports

Overview

overview

Static

static

1

63df87359c...2e.exe

windows7-x64

63df87359c...2e.exe

windows10-2004-x64

Sharing

General

Target

63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e
Size

136KB
Sample

221122-y13araff93
MD5

cef43cdb007639120a4a0d838d712193
SHA1

a214a4ebcad9d9d0e083751db9d48c2a79a04c96
SHA256

63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e
SHA512

3537f805975d1456a676b4cd7b35cbdd2e802b701270842bb35ff6a9ba9a3ee0e9ed87a4b16ee0056219193e56cce46937ad02614f64196f292ef1f8be163ca2
SSDEEP

3072:h4URpNUUX6z/DBXJfbjWzkCIqkTo7znirudL1jPeCUkHY:h4SUjhtbaods7zGEVPBL4

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe

Resource

win7-20221111-en

netwire botnet persistence rat stealer

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe

Resource

win10v2004-20221111-en

netwire botnet persistence rat stealer

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e
- Size
  
  136KB
- MD5
  
  cef43cdb007639120a4a0d838d712193
- SHA1
  
  a214a4ebcad9d9d0e083751db9d48c2a79a04c96
- SHA256
  
  63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e
- SHA512
  
  3537f805975d1456a676b4cd7b35cbdd2e802b701270842bb35ff6a9ba9a3ee0e9ed87a4b16ee0056219193e56cce46937ad02614f64196f292ef1f8be163ca2
- SSDEEP
  
  3072:h4URpNUUX6z/DBXJfbjWzkCIqkTo7znirudL1jPeCUkHY:h4SUjhtbaods7zGEVPBL4
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy