netwire | 54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241 | Triage

Submit
Reports

Overview

overview

Static

static

54f4115c18...41.exe

windows7-x64

54f4115c18...41.exe

windows10-2004-x64

Sharing

General

Target

54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241
Size

411KB
Sample

221125-tc4rfshf24
MD5

99531c75262ac625760046aeee2e74c0
SHA1

a08137520da666f982b2d47626f7485eafb15b8b
SHA256

54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241
SHA512

f857e4dac8594aaf02b63b564954657900e83533aa6c897bb41f989cdb081bc5514fc595067122dccb6075a4425b3519c607e874dcee4e24cb8b220cca993283
SSDEEP

6144:XwXihP1dml/gzaOuMIUbb4WhiU2YOKS9VhCTLtk4iazR:IihP1dmv5WshYM9Vhapk4VN

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe

Resource

win7-20220901-en

netwire botnet persistence rat stealer

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241.exe

Resource

win10v2004-20220812-en

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241
- Size
  
  411KB
- MD5
  
  99531c75262ac625760046aeee2e74c0
- SHA1
  
  a08137520da666f982b2d47626f7485eafb15b8b
- SHA256
  
  54f4115c188c20b15718b0f9cacaf5569b26cc91d088eec672da1a2ba502d241
- SHA512
  
  f857e4dac8594aaf02b63b564954657900e83533aa6c897bb41f989cdb081bc5514fc595067122dccb6075a4425b3519c607e874dcee4e24cb8b220cca993283
- SSDEEP
  
  6144:XwXihP1dml/gzaOuMIUbb4WhiU2YOKS9VhCTLtk4iazR:IihP1dmv5WshYM9Vhapk4VN
Score

10^/10

netwire botnet persistence rat stealer
- Modifies WinLogon for persistence
  persistence
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

© 2018-2024

Terms | Privacy