netwire | 1fb3b60878dc54af62cee0c594202b203e066cb743d9aa5d63833ba6800ded1c | Triage

Submit
Reports

Overview

overview

Static

static

1fb3b60878...1c.exe

windows7-x64

1fb3b60878...1c.exe

windows10-2004-x64

Sharing

General

Target

1fb3b60878dc54af62cee0c594202b203e066cb743d9aa5d63833ba6800ded1c
Size

191KB
Sample

221126-b7271ada42
MD5

e93c745ca2ae94e03676565dd22306c7
SHA1

bca2f39035c02428ba78af990bc74c09a0962f77
SHA256

1fb3b60878dc54af62cee0c594202b203e066cb743d9aa5d63833ba6800ded1c
SHA512

c6299d1c77328537c9f7a8e8363b66b899c4ca7a08c49ddfce2811880d5de67d9f3c2f9cdfbfb5433a6f738f0ac7a2d95f5b018f340d3cd3870a1d42fe192b92
SSDEEP

3072:yJU1JoBFO+FmNei/8sQWk1zViNZn0OhpkPJPzly+tyEG2MNbX6BRh:QB0+sNei/HQWk1hiN10Oh+PBvtQ7C

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

1fb3b60878dc54af62cee0c594202b203e066cb743d9aa5d63833ba6800ded1c.exe

Resource

win7-20221111-en

netwire botnet persistence rat stealer

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

1fb3b60878dc54af62cee0c594202b203e066cb743d9aa5d63833ba6800ded1c.exe

Resource

win10v2004-20220901-en

netwire botnet persistence rat stealer

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  1fb3b60878dc54af62cee0c594202b203e066cb743d9aa5d63833ba6800ded1c
- Size
  
  191KB
- MD5
  
  e93c745ca2ae94e03676565dd22306c7
- SHA1
  
  bca2f39035c02428ba78af990bc74c09a0962f77
- SHA256
  
  1fb3b60878dc54af62cee0c594202b203e066cb743d9aa5d63833ba6800ded1c
- SHA512
  
  c6299d1c77328537c9f7a8e8363b66b899c4ca7a08c49ddfce2811880d5de67d9f3c2f9cdfbfb5433a6f738f0ac7a2d95f5b018f340d3cd3870a1d42fe192b92
- SSDEEP
  
  3072:yJU1JoBFO+FmNei/8sQWk1zViNZn0OhpkPJPzly+tyEG2MNbX6BRh:QB0+sNei/HQWk1hiN10Oh+PBvtQ7C
Score

10^/10

netwire botnet persistence rat stealer
- Modifies WinLogon for persistence
  persistence
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Drops file in Drivers directory
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy