netwire | 2f8bac7792e921f228ea2c3283ad0cebe3adcab44998f0942393f4ecccedde7b | Triage

Submit
Reports

Overview

overview

Static

static

2f8bac7792...7b.exe

windows7-x64

2f8bac7792...7b.exe

windows10-2004-x64

Sharing

General

Target

2f8bac7792e921f228ea2c3283ad0cebe3adcab44998f0942393f4ecccedde7b
Size

458KB
Sample

221125-ylgqhaec3z
MD5

07f2e80664bbc93b2d2cf289697e5613
SHA1

13c40bbdeed4c3c72ab6e6b35b7f9cbb2f809b7c
SHA256

2f8bac7792e921f228ea2c3283ad0cebe3adcab44998f0942393f4ecccedde7b
SHA512

4ba088e13f60203eb14bf2f99bd81043a076b4b977dcf7e1dfc53eadddcf6ceea31d52e14b236eb373e2b9e273df1c061855f961d1ca6a9b0e33b80c1d30bfcf
SSDEEP

6144:RzV6tU/R6stRZXF5jdmTLvucbq582C6O2pRsuxkV+C6OTPNQNsPhdfJ+ewgLligD:qtUUskzYi2VOOsuxfCnLiNyJ+wJigc

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

2f8bac7792e921f228ea2c3283ad0cebe3adcab44998f0942393f4ecccedde7b.exe

Resource

win7-20221111-en

netwire botnet persistence rat stealer

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

2f8bac7792e921f228ea2c3283ad0cebe3adcab44998f0942393f4ecccedde7b.exe

Resource

win10v2004-20221111-en

netwire botnet persistence rat stealer

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  2f8bac7792e921f228ea2c3283ad0cebe3adcab44998f0942393f4ecccedde7b
- Size
  
  458KB
- MD5
  
  07f2e80664bbc93b2d2cf289697e5613
- SHA1
  
  13c40bbdeed4c3c72ab6e6b35b7f9cbb2f809b7c
- SHA256
  
  2f8bac7792e921f228ea2c3283ad0cebe3adcab44998f0942393f4ecccedde7b
- SHA512
  
  4ba088e13f60203eb14bf2f99bd81043a076b4b977dcf7e1dfc53eadddcf6ceea31d52e14b236eb373e2b9e273df1c061855f961d1ca6a9b0e33b80c1d30bfcf
- SSDEEP
  
  6144:RzV6tU/R6stRZXF5jdmTLvucbq582C6O2pRsuxkV+C6OTPNQNsPhdfJ+ewgLligD:qtUUskzYi2VOOsuxfCnLiNyJ+wJigc
Score

10^/10

netwire botnet persistence rat stealer
- Modifies WinLogon for persistence
  persistence
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy