netwire | 52c628d4ea2b7d5bc60e8882c68afba47f956ea81dcdf4a70f5365b126eee8d3 | Triage

Submit
Reports

Overview

overview

Static

static

1

52c628d4ea...d3.exe

windows7-x64

52c628d4ea...d3.exe

windows10-2004-x64

Sharing

General

Target

52c628d4ea2b7d5bc60e8882c68afba47f956ea81dcdf4a70f5365b126eee8d3
Size

129KB
Sample

221126-e2plhabh28
MD5

1becde67c46c27c90421ea17bfdb64dd
SHA1

26e69f0a5405ccd5864419b220e04ceeeed4d141
SHA256

52c628d4ea2b7d5bc60e8882c68afba47f956ea81dcdf4a70f5365b126eee8d3
SHA512

df60756353c6c1744111556b0b7a383048b009a9e8ff01ad15931b30e8cbf648ab0cdee276b856575236037af0e034fb4832dc1e2265bb54ca1fdfec45b10e8b
SSDEEP

3072:IDQkrZoosbIfXJmWHLCITMh7/o7/803UIneY7zXz+OW:IDpoefWIc/o700kIeY7jz+r

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

52c628d4ea2b7d5bc60e8882c68afba47f956ea81dcdf4a70f5365b126eee8d3.exe

Resource

win7-20220812-en

netwire botnet persistence rat stealer

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

52c628d4ea2b7d5bc60e8882c68afba47f956ea81dcdf4a70f5365b126eee8d3.exe

Resource

win10v2004-20220812-en

netwire botnet persistence rat stealer

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  52c628d4ea2b7d5bc60e8882c68afba47f956ea81dcdf4a70f5365b126eee8d3
- Size
  
  129KB
- MD5
  
  1becde67c46c27c90421ea17bfdb64dd
- SHA1
  
  26e69f0a5405ccd5864419b220e04ceeeed4d141
- SHA256
  
  52c628d4ea2b7d5bc60e8882c68afba47f956ea81dcdf4a70f5365b126eee8d3
- SHA512
  
  df60756353c6c1744111556b0b7a383048b009a9e8ff01ad15931b30e8cbf648ab0cdee276b856575236037af0e034fb4832dc1e2265bb54ca1fdfec45b10e8b
- SSDEEP
  
  3072:IDQkrZoosbIfXJmWHLCITMh7/o7/803UIneY7zXz+OW:IDpoefWIc/o700kIeY7jz+r
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy