netwire | 33dc068bbb208a5812f58cc18be54c7b6602c41a3fb33be365d0a200579d4126 | Triage

Submit
Reports

Overview

overview

Static

static

33dc068bbb...26.exe

windows7-x64

33dc068bbb...26.exe

windows10-2004-x64

Sharing

General

Target

33dc068bbb208a5812f58cc18be54c7b6602c41a3fb33be365d0a200579d4126
Size

153KB
Sample

221127-rg619sch87
MD5

4d68b6296c3c2be8ff00957f424ac629
SHA1

93d6f5442823594f5409b6f379cf9825d71597da
SHA256

33dc068bbb208a5812f58cc18be54c7b6602c41a3fb33be365d0a200579d4126
SHA512

5d098d92cb67f5af99bfaffed4f7d481b1ceb9c0a36e9e5c0305f332e3996ebcd450a0e08cb3874bdbdf906b0c4b0166110f96abf6853cbdff82d85f1597366e
SSDEEP

3072:6o6drfyifGppnIb/qjWteiTs215zeVJ9ikfzrvGsDA:6ljujnv2eideVJ97f/vGsD

Score

10^/10

netwire agilenet botnet rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

33dc068bbb208a5812f58cc18be54c7b6602c41a3fb33be365d0a200579d4126.exe

Resource

win7-20221111-en

netwire agilenet botnet rat stealer

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

33dc068bbb208a5812f58cc18be54c7b6602c41a3fb33be365d0a200579d4126.exe

Resource

win10v2004-20221111-en

netwire agilenet botnet rat stealer

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  33dc068bbb208a5812f58cc18be54c7b6602c41a3fb33be365d0a200579d4126
- Size
  
  153KB
- MD5
  
  4d68b6296c3c2be8ff00957f424ac629
- SHA1
  
  93d6f5442823594f5409b6f379cf9825d71597da
- SHA256
  
  33dc068bbb208a5812f58cc18be54c7b6602c41a3fb33be365d0a200579d4126
- SHA512
  
  5d098d92cb67f5af99bfaffed4f7d481b1ceb9c0a36e9e5c0305f332e3996ebcd450a0e08cb3874bdbdf906b0c4b0166110f96abf6853cbdff82d85f1597366e
- SSDEEP
  
  3072:6o6drfyifGppnIb/qjWteiTs215zeVJ9ikfzrvGsDA:6ljujnv2eideVJ97f/vGsD
Score

10^/10

netwire agilenet botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwireagilenetbotnetratstealer

behavioral2

netwireagilenetbotnetratstealer

© 2018-2024

Terms | Privacy