netwire | 36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c | Triage

Submit
Reports

Overview

overview

Static

static

36255768ea...3c.exe

windows7-x64

36255768ea...3c.exe

windows10-2004-x64

Sharing

General

Target

36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c
Size

761KB
Sample

221122-zvh6cscc5s
MD5

0bbbe39130aa0cfdcc59fbafb00ea6c9
SHA1

d1ce34e3002e896a5b672f8ddb2dba6856abf292
SHA256

36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c
SHA512

43018d5e9f4f61a025aba8f53bff0ff4d8995bd71d75709b29edca4da65d91833761491718001efe87a48ee04bd625da2ddc1583e525a343171d0fadb0843a7f
SSDEEP

12288:5at0EAH49n8Bk8/MmCfj2U8D+Foc1xu93NoG/+d5Wel666rnyCaeu/HHxI:It24Hm0j2UToc1xuzoVF58KG

Score

10^/10

netwire botnet evasion persistence rat stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c.exe

Resource

win7-20221111-en

netwire botnet evasion persistence rat stealer trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c.exe

Resource

win10v2004-20221111-en

evasion persistence trojan

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Targets

- Target
  
  36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c
- Size
  
  761KB
- MD5
  
  0bbbe39130aa0cfdcc59fbafb00ea6c9
- SHA1
  
  d1ce34e3002e896a5b672f8ddb2dba6856abf292
- SHA256
  
  36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c
- SHA512
  
  43018d5e9f4f61a025aba8f53bff0ff4d8995bd71d75709b29edca4da65d91833761491718001efe87a48ee04bd625da2ddc1583e525a343171d0fadb0843a7f
- SSDEEP
  
  12288:5at0EAH49n8Bk8/MmCfj2U8D+Foc1xu93NoG/+d5Wel666rnyCaeu/HHxI:It24Hm0j2UToc1xuzoVF58KG
Score

10^/10

netwire botnet evasion persistence rat stealer trojan
- Modifies visiblity of hidden/system files in Explorer
  evasion
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetevasionpersistenceratstealertrojan

behavioral2

evasionpersistencetrojan

© 2018-2024

Terms | Privacy