netwire | f5df171a28a643f70cf5c9cbde4fc1ab50f8371619c42ac87661fdf8eb57dcc2 | Triage

Submit
Reports

Overview

overview

Static

static

f5df171a28...c2.exe

windows7-x64

f5df171a28...c2.exe

windows10-2004-x64

Sharing

General

Target

f5df171a28a643f70cf5c9cbde4fc1ab50f8371619c42ac87661fdf8eb57dcc2
Size

187KB
Sample

221126-qp66kaff48
MD5

e205017b3dfd197bbd2736ec075e6712
SHA1

6c0546c75a47f6c6cac66603d23eda86c3b67373
SHA256

f5df171a28a643f70cf5c9cbde4fc1ab50f8371619c42ac87661fdf8eb57dcc2
SHA512

5fcc7a371dd01f68cd82072b897f770842daeec3a8dccd0a6d4ba4c97ac517233df2b2e02c6168d175ac4b762136e6a1cb843df4483736973d1bcc5d749a8d7e
SSDEEP

3072:hF9RXZ4n9s5KaXzk7c4PHys5jIBPQYjt2Cep1JM4bQ/SICy01HlXzcccy:hF9RXZ49s44zkv5j3kt2CepdE/Wl

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

f5df171a28a643f70cf5c9cbde4fc1ab50f8371619c42ac87661fdf8eb57dcc2.exe

Resource

win7-20220812-en

netwire botnet persistence rat stealer

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

f5df171a28a643f70cf5c9cbde4fc1ab50f8371619c42ac87661fdf8eb57dcc2.exe

Resource

win10v2004-20220812-en

netwire botnet persistence rat stealer

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  f5df171a28a643f70cf5c9cbde4fc1ab50f8371619c42ac87661fdf8eb57dcc2
- Size
  
  187KB
- MD5
  
  e205017b3dfd197bbd2736ec075e6712
- SHA1
  
  6c0546c75a47f6c6cac66603d23eda86c3b67373
- SHA256
  
  f5df171a28a643f70cf5c9cbde4fc1ab50f8371619c42ac87661fdf8eb57dcc2
- SHA512
  
  5fcc7a371dd01f68cd82072b897f770842daeec3a8dccd0a6d4ba4c97ac517233df2b2e02c6168d175ac4b762136e6a1cb843df4483736973d1bcc5d749a8d7e
- SSDEEP
  
  3072:hF9RXZ4n9s5KaXzk7c4PHys5jIBPQYjt2Cep1JM4bQ/SICy01HlXzcccy:hF9RXZ49s44zkv5j3kt2CepdE/Wl
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy