netwire | c289a867c2488aba791f6a764ea901872820cc4c45bfe6210e2409c842c6f8c1 | Triage

Submit
Reports

Overview

overview

Static

static

c289a867c2...c1.hta

windows7-x64

c289a867c2...c1.hta

windows10-2004-x64

Sharing

General

Target

c289a867c2488aba791f6a764ea901872820cc4c45bfe6210e2409c842c6f8c1.danger
Size

1KB
Sample

230117-pbk6habf5v
MD5

54c3aff6778177f39bd3930fe61a162e
SHA1

623a8471475981e9a992235ba5fcf12e99c96612
SHA256

c289a867c2488aba791f6a764ea901872820cc4c45bfe6210e2409c842c6f8c1
SHA512

40e8a0d1d7f550273bca6d6501c595277f7767bf276be3eee03bf102d41dc48ba8255df189ddeb67a74c7d97c691d015d3e3cee1710eb61f5abf34854cc03bdd

Score

10^/10

netwire botnet rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

c289a867c2488aba791f6a764ea901872820cc4c45bfe6210e2409c842c6f8c1.hta

Resource

win7-20221111-en

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

c289a867c2488aba791f6a764ea901872820cc4c45bfe6210e2409c842c6f8c1.hta

Resource

win10v2004-20220812-en

netwire botnet rat stealer

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:3361

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Telkomsa@1991
registry_autorun
false
use_mutex
false

Targets

- Target
  
  c289a867c2488aba791f6a764ea901872820cc4c45bfe6210e2409c842c6f8c1.danger
- Size
  
  1KB
- MD5
  
  54c3aff6778177f39bd3930fe61a162e
- SHA1
  
  623a8471475981e9a992235ba5fcf12e99c96612
- SHA256
  
  c289a867c2488aba791f6a764ea901872820cc4c45bfe6210e2409c842c6f8c1
- SHA512
  
  40e8a0d1d7f550273bca6d6501c595277f7767bf276be3eee03bf102d41dc48ba8255df189ddeb67a74c7d97c691d015d3e3cee1710eb61f5abf34854cc03bdd
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

netwirebotnetratstealer

© 2018-2024

Terms | Privacy