netwire | 32e19f323a5df06d2f7d190cb223a26947ee232aafb25301daf342f0f965a2c4 | Triage

Submit
Reports

Overview

overview

Static

static

1

32e19f323a...c4.exe

windows7-x64

32e19f323a...c4.exe

windows10-2004-x64

Sharing

General

Target

32e19f323a5df06d2f7d190cb223a26947ee232aafb25301daf342f0f965a2c4
Size

109KB
Sample

221127-kgczvscg23
MD5

75acca9340f832b7361f2ec8ae8964d6
SHA1

083f137ca92578a2a9b537654138cf0648032b10
SHA256

32e19f323a5df06d2f7d190cb223a26947ee232aafb25301daf342f0f965a2c4
SHA512

085be2b0a74c9796e3695da8e62a11f0973c77ef3876284bb7ba336776e6fc86f6a8d8aa38f1ca8d6552d777feada269345a37bf4232eed751d227e0647ba26d
SSDEEP

3072:xwJ52Y7ZoH5XJaAWIIyxxPcLU9NPiTa6xwR2j6dNEPC13L:xwHysXIFM0JuLxxyEPO3L

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

32e19f323a5df06d2f7d190cb223a26947ee232aafb25301daf342f0f965a2c4.exe

Resource

win7-20220812-en

netwire botnet persistence rat stealer

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

32e19f323a5df06d2f7d190cb223a26947ee232aafb25301daf342f0f965a2c4.exe

Resource

win10v2004-20221111-en

netwire botnet persistence rat stealer

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  32e19f323a5df06d2f7d190cb223a26947ee232aafb25301daf342f0f965a2c4
- Size
  
  109KB
- MD5
  
  75acca9340f832b7361f2ec8ae8964d6
- SHA1
  
  083f137ca92578a2a9b537654138cf0648032b10
- SHA256
  
  32e19f323a5df06d2f7d190cb223a26947ee232aafb25301daf342f0f965a2c4
- SHA512
  
  085be2b0a74c9796e3695da8e62a11f0973c77ef3876284bb7ba336776e6fc86f6a8d8aa38f1ca8d6552d777feada269345a37bf4232eed751d227e0647ba26d
- SSDEEP
  
  3072:xwJ52Y7ZoH5XJaAWIIyxxPcLU9NPiTa6xwR2j6dNEPC13L:xwHysXIFM0JuLxxyEPO3L
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy