netwire

General

Target

7b0c5b6d2b384472a66a91446e3871a6
Size

111KB
Sample

230316-brp8hagc62
MD5

7b0c5b6d2b384472a66a91446e3871a6
SHA1

43f7d3727ff16afed19acd8a152c13b72b789d5f
SHA256

48d5f8ef5449387f721907a96a8eab0f7827f393db4c96d351bab43de7944d95
SHA512

214b1ec30417fd5c009f7cace9855d2bff2417099d6b863fbc014bc57a0e041b100a7585dd719af0d3398474b860f05d75d7b8fc3f979b2a8eada2d1b362e501
SSDEEP

768:iH059SCyqm4AxvqFTTT5jTTTT+lYeAcoMNii6LKtMwZ5JkQ0sKoIQr0/FLyTsMa7:807SCxCQTTT5jTTTT+rzVb00fLZDQ

Score

10^/10

Malware Config

Extracted

Family

purecrypter

C2

https://firebasestorage.googleapis.com/v0/b/hjop-9ee35.appspot.com/o/Xuwbqh.dat?alt=media&token=f8835a49-5488-429f-8453-0ec2ff1d135e

Extracted

Family

netwire

C2

netwire2021.duckdns.org:7929

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
qFlJFfII
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Targets

- Target
  
  7b0c5b6d2b384472a66a91446e3871a6
- Size
  
  111KB
- MD5
  
  7b0c5b6d2b384472a66a91446e3871a6
- SHA1
  
  43f7d3727ff16afed19acd8a152c13b72b789d5f
- SHA256
  
  48d5f8ef5449387f721907a96a8eab0f7827f393db4c96d351bab43de7944d95
- SHA512
  
  214b1ec30417fd5c009f7cace9855d2bff2417099d6b863fbc014bc57a0e041b100a7585dd719af0d3398474b860f05d75d7b8fc3f979b2a8eada2d1b362e501
- SSDEEP
  
  768:iH059SCyqm4AxvqFTTT5jTTTT+lYeAcoMNii6LKtMwZ5JkQ0sKoIQr0/FLyTsMa7:807SCxCQTTT5jTTTT+rzVb00fLZDQ
Score

10^/10

netwire purecrypter botnet downloader loader persistence rat stealer
- Modifies WinLogon for persistence
  persistence
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- PureCrypter
  PureCrypter is a .NET malware loader first seen in early 2021.
  loader downloader purecrypter
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Modifies WinLogon for persistence

NetWire RAT payload

PureCrypter

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2