netwire | b638c1388498bf3e0e078ae3961dbc878d36c9f1298992d38603941dfb018fc1 | Triage

Submit
Reports

Overview

overview

Static

static

b638c13884...c1.exe

windows7-x64

b638c13884...c1.exe

windows10-2004-x64

Sharing

General

Target

b638c1388498bf3e0e078ae3961dbc878d36c9f1298992d38603941dfb018fc1
Size

462KB
Sample

221127-mxyydafb3v
MD5

b8f12deba5ed8696877ca4dd96fe16b8
SHA1

23a996e70f7154d9ca4fc3d708ee024493acc4a1
SHA256

b638c1388498bf3e0e078ae3961dbc878d36c9f1298992d38603941dfb018fc1
SHA512

84dc9c09b9cc03f6cccfcd2965fec88fdcad4926bb91be71c21566986cfc140bdc698dfda8ff7960aef4518563336f2dad962e5e29d25fd7223d2950081f7b26
SSDEEP

12288:4BFq3hrSEGkejhVatW+bbSzQSNtvzsjfY942d:463hrSEGkejhWW+bbMX/sjfw42d

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

b638c1388498bf3e0e078ae3961dbc878d36c9f1298992d38603941dfb018fc1.exe

Resource

win7-20220812-en

netwire botnet persistence rat stealer

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

b638c1388498bf3e0e078ae3961dbc878d36c9f1298992d38603941dfb018fc1.exe

Resource

win10v2004-20220812-en

netwire botnet persistence rat stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  b638c1388498bf3e0e078ae3961dbc878d36c9f1298992d38603941dfb018fc1
- Size
  
  462KB
- MD5
  
  b8f12deba5ed8696877ca4dd96fe16b8
- SHA1
  
  23a996e70f7154d9ca4fc3d708ee024493acc4a1
- SHA256
  
  b638c1388498bf3e0e078ae3961dbc878d36c9f1298992d38603941dfb018fc1
- SHA512
  
  84dc9c09b9cc03f6cccfcd2965fec88fdcad4926bb91be71c21566986cfc140bdc698dfda8ff7960aef4518563336f2dad962e5e29d25fd7223d2950081f7b26
- SSDEEP
  
  12288:4BFq3hrSEGkejhVatW+bbSzQSNtvzsjfY942d:463hrSEGkejhWW+bbMX/sjfw42d
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy