netwire | 51a26615359fa83ea8687290e2141f753b6969e1905c5aa78bf2c1708904806c | Triage

Submit
Reports

Overview

overview

Static

static

91bfa2445d...ac.exe

windows7-x64

8

91bfa2445d...ac.exe

windows10-2004-x64

Sharing

General

Target

91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.zip
Size

371KB
Sample

230113-wmkgnsbc42
MD5

446c6dadb9c472a57c9a54b632c70b98
SHA1

3665dd29d04df61b3781662293a3fcf7c40f5ffd
SHA256

51a26615359fa83ea8687290e2141f753b6969e1905c5aa78bf2c1708904806c
SHA512

fa0ae9f01ff5b51e4c45fd2fcce628449f749091f43e1fddeadd73318581ce187ccb9f60279b2c5a6d3e08d16d0d98a74d5441542247435f840e9710d925914c
SSDEEP

6144:sBqVfX21kqzxZ26pUotN0haxv15MuxWyuMCIJuwN9bK3AJsZz0+ZO6DvNurrhHxF:s+Akq9ZHUPhax3xWyDme9WSU0IIFHf

Score

10^/10

netwire botnet persistence rat stealer upx

Static task

static1

Behavioral task

behavioral1

Sample

91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe

Resource

win7-20220812-es

persistence upx

windows7-x64

8 signatures

300 seconds

Behavioral task

behavioral2

Sample

91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe

Resource

win10v2004-20221111-es

netwire botnet persistence rat stealer upx

windows10-2004-x64

14 signatures

300 seconds

Malware Config

Extracted

Family

netwire

C2

qualitytrade12.hopto.org:3194

Attributes

activex_autorun
true
activex_key
{KEW5251T-4080-L0OG-0866-B1E0A86Y18A5}
copy_executable
true
delete_original
false
host_id
NEWCLIENT
install_path
%AppData%\Install\excel.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
RPlPfmOq
offline_keylogger
true
password
master45
registry_autorun
true
startup_name
Adobe
use_mutex
true

Targets

- Target
  
  91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac
- Size
  
  420KB
- MD5
  
  1517814c4d44cc632abb52d2d6307f15
- SHA1
  
  9ee0404b76fe5bda2692f049bb9fc78e17240708
- SHA256
  
  91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac
- SHA512
  
  34e0804548803b4ece092061dc287078f5853b9d73d7759b403fdc5bbc4141ddad2b146c06edf8dbaa5ce055c62e1106e91df05a7866402f47be6f28acddaf7a
- SSDEEP
  
  6144:QjbeiyDBJNEeHfZEW6GH5W288L5ABAYRb+m112Mppeaibjz90645wZUS+:Qu1PzgGH5W28oANn112tLOE+
Score

10^/10

persistence upx netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

netwirebotnetpersistenceratstealerupx

© 2018-2024

Terms | Privacy