netwire | cd08ba15ccdc3b437881a925cb07a318cea11d7d586c8be88a005c476489707e | Triage

Submit
Reports

Overview

overview

Static

static

cd08ba15cc...7e.exe

windows7-x64

cd08ba15cc...7e.exe

windows10-2004-x64

Sharing

General

Target

cd08ba15ccdc3b437881a925cb07a318cea11d7d586c8be88a005c476489707e
Size

544KB
Sample

221127-jtmt6aeg51
MD5

059973cb87274fc9edc1939af78bb9cf
SHA1

bdb9f254bf0f489892f6ae589bf518780765ef5a
SHA256

cd08ba15ccdc3b437881a925cb07a318cea11d7d586c8be88a005c476489707e
SHA512

6f5841b6f0165b43bf1146893667168126e56b038535cb548479a3d88b6085d13523891dd6688fb87decb49ae240789f3b4a8bc36bdca6841606cf6ce07a3cb7
SSDEEP

6144:xTfFDbRnOTr+Ok7JsIPO+fXau6qkKaFQW/GoQ3Po2ubld7dJ8F8cjzCAatXtBvPo:35Olk7/GxunkG4G9uBd/nzXhy

Score

10^/10

netwire botnet discovery persistence rat stealer upx

Static task

static1

Behavioral task

behavioral1

Sample

cd08ba15ccdc3b437881a925cb07a318cea11d7d586c8be88a005c476489707e.exe

Resource

win7-20220812-en

netwire botnet discovery persistence rat stealer upx

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

cd08ba15ccdc3b437881a925cb07a318cea11d7d586c8be88a005c476489707e.exe

Resource

win10v2004-20220901-en

netwire botnet discovery persistence rat stealer upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  cd08ba15ccdc3b437881a925cb07a318cea11d7d586c8be88a005c476489707e
- Size
  
  544KB
- MD5
  
  059973cb87274fc9edc1939af78bb9cf
- SHA1
  
  bdb9f254bf0f489892f6ae589bf518780765ef5a
- SHA256
  
  cd08ba15ccdc3b437881a925cb07a318cea11d7d586c8be88a005c476489707e
- SHA512
  
  6f5841b6f0165b43bf1146893667168126e56b038535cb548479a3d88b6085d13523891dd6688fb87decb49ae240789f3b4a8bc36bdca6841606cf6ce07a3cb7
- SSDEEP
  
  6144:xTfFDbRnOTr+Ok7JsIPO+fXau6qkKaFQW/GoQ3Po2ubld7dJ8F8cjzCAatXtBvPo:35Olk7/GxunkG4G9uBd/nzXhy
Score

10^/10

netwire botnet discovery persistence rat stealer upx
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

File Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetdiscoverypersistenceratstealerupx

behavioral2

netwirebotnetdiscoverypersistenceratstealerupx

© 2018-2024

Terms | Privacy