netwire | 6d880189693cf93dd4ca145b0d3cc8e9295da375654d04ea68a5f67c9f62ae87 | Triage

Sharing

General

Target

KMS.exe
Size

1.7MB
Sample

231009-x59d7afg8y
MD5

0f7ae75bde16c261d817cf6fab4e7770
SHA1

030733fd3ed1ad22a1842ee53ffc7ae312652ecd
SHA256

6d880189693cf93dd4ca145b0d3cc8e9295da375654d04ea68a5f67c9f62ae87
SHA512

51698c963bd829c6875d6d70e4e3f44cd99b87bcb2b589f0a1d268cec008a07cd8d9182a51b0eb7714b8cd0c0261e1e279a0404ef59b5877a6e6d5f1c2f69f67
SSDEEP

1536:RbEp4Z40d4I4I4I4I4I4I4I4I4V3424GI5Ac4dONlIKO67gHrc64hUQyOCH1Rog5:Rbnfu

Score

10^/10

netwire botnet evasion persistence rat stealer trojan

Malware Config

Extracted

Family

netwire

C2

haija.mine.nu:1338

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Alien
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
qays1122
registry_autorun
false
use_mutex
false

Targets

- Target
  
  KMS.exe
- Size
  
  1.7MB
- MD5
  
  0f7ae75bde16c261d817cf6fab4e7770
- SHA1
  
  030733fd3ed1ad22a1842ee53ffc7ae312652ecd
- SHA256
  
  6d880189693cf93dd4ca145b0d3cc8e9295da375654d04ea68a5f67c9f62ae87
- SHA512
  
  51698c963bd829c6875d6d70e4e3f44cd99b87bcb2b589f0a1d268cec008a07cd8d9182a51b0eb7714b8cd0c0261e1e279a0404ef59b5877a6e6d5f1c2f69f67
- SSDEEP
  
  1536:RbEp4Z40d4I4I4I4I4I4I4I4I4V3424GI5Ac4dONlIKO67gHrc64hUQyOCH1Rog5:Rbnfu
Score

10^/10

netwire botnet evasion persistence rat stealer trojan
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Turns off Windows Defender SpyNet reporting
  evasion
- Windows security bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetevasionpersistenceratstealertrojan