netwire | 8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05 | Triage

Submit
Reports

Overview

overview

Static

static

8c907dfac7...05.exe

windows7-x64

8c907dfac7...05.exe

windows10-2004-x64

Sharing

General

Target

8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05
Size

558KB
Sample

221123-qz37naad3s
MD5

84c23174883bfc6185c61eb1106e4d2e
SHA1

59df87cd5af71f76db82d384379db01f56adc96c
SHA256

8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05
SHA512

601efcaa36ae9a1a08bbb964057d8911306e34a2c7a0d7dda0914d0bd725cd4e8b1b32e5c88fe6011d70363088f3a26763c42b18a326b36788c66a5545bd6a92
SSDEEP

6144:PFhmxTB7drI/7gkzKTr6gQutC24l8Pksw3sBb31+6iKtMHqCKBNdGh8Ab:TKv6gQutC/gy3sB31+D8MHNNb

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe

Resource

win7-20220901-en

netwire botnet persistence rat stealer

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe

Resource

win10v2004-20220812-en

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Targets

- Target
  
  8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05
- Size
  
  558KB
- MD5
  
  84c23174883bfc6185c61eb1106e4d2e
- SHA1
  
  59df87cd5af71f76db82d384379db01f56adc96c
- SHA256
  
  8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05
- SHA512
  
  601efcaa36ae9a1a08bbb964057d8911306e34a2c7a0d7dda0914d0bd725cd4e8b1b32e5c88fe6011d70363088f3a26763c42b18a326b36788c66a5545bd6a92
- SSDEEP
  
  6144:PFhmxTB7drI/7gkzKTr6gQutC24l8Pksw3sBb31+6iKtMHqCKBNdGh8Ab:TKv6gQutC/gy3sB31+D8MHNNb
Score

10^/10

netwire botnet persistence rat stealer
- Modifies WinLogon for persistence
  persistence
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

© 2018-2024

Terms | Privacy