netwire | f9113f6d2278ec7997fd0a713b5a49f68338cc75fba323af3c8c5ce2d06f9bfa | Triage

Submit
Reports

Overview

overview

Static

static

f9113f6d22...fa.exe

windows7-x64

f9113f6d22...fa.exe

windows10-2004-x64

Sharing

General

Target

f9113f6d2278ec7997fd0a713b5a49f68338cc75fba323af3c8c5ce2d06f9bfa
Size

603KB
Sample

230129-x6jj6acc7s
MD5

3e1d28eea4116b42f5e1ddb09d269fc4
SHA1

a9a0e4a7bc99de387567cade9b27e66e98ebc6f9
SHA256

f9113f6d2278ec7997fd0a713b5a49f68338cc75fba323af3c8c5ce2d06f9bfa
SHA512

7397d83ee8b6126247e1c82e97f1b85f3b95ffb087b22247f310aff5ee49e0e2ba5b23dd410353b13c7a6acf1ed72f0ea5ac67eacfa7f8e24571a5f1c22fd552
SSDEEP

12288:EXRS22ZRIax1vuWWyaTXjV6IMurq08xySQ6FaSqLvp1cDeD6lpRLFjXK9SDhB8pM:3GTXMiSmhq9srpWE6NvrVQrlBRJ3hOZL

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

f9113f6d2278ec7997fd0a713b5a49f68338cc75fba323af3c8c5ce2d06f9bfa.exe

Resource

win7-20220812-en

netwire botnet persistence rat stealer

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

f9113f6d2278ec7997fd0a713b5a49f68338cc75fba323af3c8c5ce2d06f9bfa.exe

Resource

win10v2004-20220812-en

netwire botnet persistence rat stealer

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

bambooo.dynu.net:8858

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
GAgoxrms
offline_keylogger
true
password
nesamone
registry_autorun
false
use_mutex
true

Targets

- Target
  
  f9113f6d2278ec7997fd0a713b5a49f68338cc75fba323af3c8c5ce2d06f9bfa
- Size
  
  603KB
- MD5
  
  3e1d28eea4116b42f5e1ddb09d269fc4
- SHA1
  
  a9a0e4a7bc99de387567cade9b27e66e98ebc6f9
- SHA256
  
  f9113f6d2278ec7997fd0a713b5a49f68338cc75fba323af3c8c5ce2d06f9bfa
- SHA512
  
  7397d83ee8b6126247e1c82e97f1b85f3b95ffb087b22247f310aff5ee49e0e2ba5b23dd410353b13c7a6acf1ed72f0ea5ac67eacfa7f8e24571a5f1c22fd552
- SSDEEP
  
  12288:EXRS22ZRIax1vuWWyaTXjV6IMurq08xySQ6FaSqLvp1cDeD6lpRLFjXK9SDhB8pM:3GTXMiSmhq9srpWE6NvrVQrlBRJ3hOZL
Score

10^/10

netwire botnet persistence rat stealer
- Modifies WinLogon for persistence
  persistence
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Drops startup file
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy