netwire | 1374d806017136ac24ff2b892199c75513cae5267ab39deec422481be71c66d5 | Triage

Submit
Reports

Overview

overview

Static

static

1374d80601...d5.exe

windows7-x64

1374d80601...d5.exe

windows10-2004-x64

Sharing

General

Target

1374d806017136ac24ff2b892199c75513cae5267ab39deec422481be71c66d5
Size

1.5MB
Sample

221126-r6w8cseg3w
MD5

9f384cd0678f4af5298ce92e93076c24
SHA1

ba67cccd0cbec0fc78e6cea2501d43979b168d74
SHA256

1374d806017136ac24ff2b892199c75513cae5267ab39deec422481be71c66d5
SHA512

d375257c7a84ef7b11ec1f76bfbe9bf9ef91bc122cd43880ed82e5e4578c5f6edcef0e2b28c814937de9ae579d75e0cfc09fe6c86a06670f9c81289ce14be422
SSDEEP

12288:gcl48RTm7FWaEL5n62kJKOld30Jse4ohNv:gESYaU5nmKOn0suhNv

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

1374d806017136ac24ff2b892199c75513cae5267ab39deec422481be71c66d5.exe

Resource

win7-20221111-en

netwire botnet persistence rat stealer

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

1374d806017136ac24ff2b892199c75513cae5267ab39deec422481be71c66d5.exe

Resource

win10v2004-20221111-en

netwire botnet persistence rat stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  1374d806017136ac24ff2b892199c75513cae5267ab39deec422481be71c66d5
- Size
  
  1.5MB
- MD5
  
  9f384cd0678f4af5298ce92e93076c24
- SHA1
  
  ba67cccd0cbec0fc78e6cea2501d43979b168d74
- SHA256
  
  1374d806017136ac24ff2b892199c75513cae5267ab39deec422481be71c66d5
- SHA512
  
  d375257c7a84ef7b11ec1f76bfbe9bf9ef91bc122cd43880ed82e5e4578c5f6edcef0e2b28c814937de9ae579d75e0cfc09fe6c86a06670f9c81289ce14be422
- SSDEEP
  
  12288:gcl48RTm7FWaEL5n62kJKOld30Jse4ohNv:gESYaU5nmKOn0suhNv
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Blocklisted process makes network request
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy