netwire | 17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43 | Triage

Submit
Reports

Overview

overview

Static

static

17c7284c36...43.exe

windows7-x64

17c7284c36...43.exe

windows10-2004-x64

Sharing

General

Target

17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43
Size

559KB
Sample

221123-r9egqadg2w
MD5

bf6fee94cfb3d3074f9b5610c92c8736
SHA1

275d6c72eaf3ff795d9c9ce0d8589529117dc3da
SHA256

17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43
SHA512

db15afafc57b654d3ec119ee6b509ddee62d31cea74cd5ae9ce8811e16f7e3e65571b975d55013311bfc7cd4a3b1dd6e479710275553b119fc8082cbd74810d5
SSDEEP

6144:rFhmxTB7drI/7gkzKTr6gQu4ZGhp2y8A/f5c/m6bBApevftP89:vKv6gQu4Aph5QlipeHw

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe

Resource

win7-20220901-en

netwire botnet persistence rat stealer

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe

Resource

win10v2004-20221111-en

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Targets

- Target
  
  17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43
- Size
  
  559KB
- MD5
  
  bf6fee94cfb3d3074f9b5610c92c8736
- SHA1
  
  275d6c72eaf3ff795d9c9ce0d8589529117dc3da
- SHA256
  
  17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43
- SHA512
  
  db15afafc57b654d3ec119ee6b509ddee62d31cea74cd5ae9ce8811e16f7e3e65571b975d55013311bfc7cd4a3b1dd6e479710275553b119fc8082cbd74810d5
- SSDEEP
  
  6144:rFhmxTB7drI/7gkzKTr6gQu4ZGhp2y8A/f5c/m6bBApevftP89:vKv6gQu4Aph5QlipeHw
Score

10^/10

netwire botnet persistence rat stealer
- Modifies WinLogon for persistence
  persistence
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

© 2018-2024

Terms | Privacy