netwire

General

Target

NEAS.95f89cbdd9bd5d81dd4cdb671a9d12c9.exe
Size

1.3MB
Sample

231114-l21gbsba9v
MD5

95f89cbdd9bd5d81dd4cdb671a9d12c9
SHA1

8401397d5d4e12d8fe714580237d979f8a142d37
SHA256

dca25d35ee7ac4e3358051e5b14104eb74606ba7eb736774bf9e36ee46856772
SHA512

6d0edb8b01ebabffd7d549eed9330ea6ced8224080565754de740cb24359ed401df25a2c7b4e182784135c6229d91d9a67348d3211142f0c44946533a391104c
SSDEEP

24576:Ku6J33O0c+JY5UZ+XC0kGso6Fa720W4njUprvVcC1f2o5RRfgUWYr:8u0c++OCvkGs9Fa+rd1f26RaYr

Score

10^/10

Malware Config

Extracted

Family

netwire

C2

Wealthy2019.com.strangled.net:20190

wealthyme.ddns.net:20190

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
sunshineslisa
install_path
%AppData%\Imgburn\Host.exe
keylogger_dir
%AppData%\Logs\Imgburn\
lock_executable
false
offline_keylogger
true
password
sucess
registry_autorun
false
use_mutex
false

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Targets

- Target
  
  NEAS.95f89cbdd9bd5d81dd4cdb671a9d12c9.exe
- Size
  
  1.3MB
- MD5
  
  95f89cbdd9bd5d81dd4cdb671a9d12c9
- SHA1
  
  8401397d5d4e12d8fe714580237d979f8a142d37
- SHA256
  
  dca25d35ee7ac4e3358051e5b14104eb74606ba7eb736774bf9e36ee46856772
- SHA512
  
  6d0edb8b01ebabffd7d549eed9330ea6ced8224080565754de740cb24359ed401df25a2c7b4e182784135c6229d91d9a67348d3211142f0c44946533a391104c
- SSDEEP
  
  24576:Ku6J33O0c+JY5UZ+XC0kGso6Fa720W4njUprvVcC1f2o5RRfgUWYr:8u0c++OCvkGs9Fa+rd1f26RaYr
Score

10^/10

netwire warzonerat botnet infostealer rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

NetWire RAT payload

WarzoneRat, AveMaria

Warzone RAT payload

Executes dropped EXE

Loads dropped DLL

AutoIT Executable

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2