netwire | 10a9942365cfd73d8c11b5b8e46763a53c642e5ddd9577a21c2388e7bc99d910 | Triage

Submit
Reports

Overview

overview

Static

static

r.exe

windows7-x64

r.exe

windows10-2004-x64

Sharing

General

Target

r.exe
Size

160KB
Sample

230401-fpg7bsga83
MD5

fb8441287cef7a3c0a67a24830a648f3
SHA1

6fef02a3793b481a2603da3d5051698ea752f4ab
SHA256

10a9942365cfd73d8c11b5b8e46763a53c642e5ddd9577a21c2388e7bc99d910
SHA512

660a630c200f34808deba9484d416a8292176f18516a33d9af7c0ec3e5764f41c9a77d8fbf42dd123b8cdbe71e7537a2f63ccc675b2271c85b7a4164c0b4ad0e
SSDEEP

3072:jOzPcXa+ND32eioGHlz8rnAE0HCXh0edLv1YMjMqqDvFf:jOTcK+NrRioGHlz8rz0i/1zQqqDvFf

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

r.exe

Resource

win7-20230220-en

netwire botnet persistence rat stealer

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

r.exe

Resource

win10v2004-20230220-en

netwire botnet persistence rat stealer

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

wire.universitynetservice1979.info:8888

167.179.102.70:8888

62.234.24.30:8888

Attributes

activex_autorun
false
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Install\svchost.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
olflQfiP
offline_keylogger
true
password
win
registry_autorun
true
startup_name
netloading
use_mutex
true

Targets

- Target
  
  r.exe
- Size
  
  160KB
- MD5
  
  fb8441287cef7a3c0a67a24830a648f3
- SHA1
  
  6fef02a3793b481a2603da3d5051698ea752f4ab
- SHA256
  
  10a9942365cfd73d8c11b5b8e46763a53c642e5ddd9577a21c2388e7bc99d910
- SHA512
  
  660a630c200f34808deba9484d416a8292176f18516a33d9af7c0ec3e5764f41c9a77d8fbf42dd123b8cdbe71e7537a2f63ccc675b2271c85b7a4164c0b4ad0e
- SSDEEP
  
  3072:jOzPcXa+ND32eioGHlz8rnAE0HCXh0edLv1YMjMqqDvFf:jOTcK+NrRioGHlz8rz0i/1zQqqDvFf
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy