netwire | 18df3cc6f2fc32277040460c85aaf927848e63abb3d005b43fcb8d0368a57214 | Triage

Submit
Reports

Overview

overview

Static

static

5

18df3cc6f2...14.exe

windows7-x64

18df3cc6f2...14.exe

windows10-2004-x64

Sharing

General

Target

18df3cc6f2fc32277040460c85aaf927848e63abb3d005b43fcb8d0368a57214
Size

817KB
Sample

221125-ymazcabd68
MD5

d73b8c3a4405846fd0ba8c384a7113a1
SHA1

0751fb4a0ac6671c71d7b48caf605e77b1424c3d
SHA256

18df3cc6f2fc32277040460c85aaf927848e63abb3d005b43fcb8d0368a57214
SHA512

239e0578ff629073b26a76bc46e427c1dce63f811d7baab50af73fcda91ed9b70191b056bdaf3fc2999485218a8e9bc7071956d2b5d634004e0cb8120321b727
SSDEEP

24576:HRmJkcoQricOIQxiZY1iaBcien5VcrEjFk6d:sJZoQrbTFZY1iaBcBXc0P

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

18df3cc6f2fc32277040460c85aaf927848e63abb3d005b43fcb8d0368a57214.exe

Resource

win7-20220812-en

netwire botnet persistence rat stealer

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

18df3cc6f2fc32277040460c85aaf927848e63abb3d005b43fcb8d0368a57214.exe

Resource

win10v2004-20220812-en

netwire botnet persistence rat stealer

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  18df3cc6f2fc32277040460c85aaf927848e63abb3d005b43fcb8d0368a57214
- Size
  
  817KB
- MD5
  
  d73b8c3a4405846fd0ba8c384a7113a1
- SHA1
  
  0751fb4a0ac6671c71d7b48caf605e77b1424c3d
- SHA256
  
  18df3cc6f2fc32277040460c85aaf927848e63abb3d005b43fcb8d0368a57214
- SHA512
  
  239e0578ff629073b26a76bc46e427c1dce63f811d7baab50af73fcda91ed9b70191b056bdaf3fc2999485218a8e9bc7071956d2b5d634004e0cb8120321b727
- SSDEEP
  
  24576:HRmJkcoQricOIQxiZY1iaBcien5VcrEjFk6d:sJZoQrbTFZY1iaBcBXc0P
Score

10^/10

netwire botnet persistence rat stealer
- Modifies WinLogon for persistence
  persistence
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy