netwire

General

Target

add5d7ea43e8d2e4ca5334fc8df769f9
Size

1008KB
Sample

231219-1s4jysfbg3
MD5

add5d7ea43e8d2e4ca5334fc8df769f9
SHA1

632b823fe500f8adc8511b5371e6da697cdbbe08
SHA256

da4e9c5b477efe56f29cacaef8591eef0b175829c6d1cbe4687b2ecf4174d267
SHA512

f50de4eacfd94921a8566a601812a21671c613fe0fb917b18026c0f2744b2f58c45102f61a7a2783f519cc1386a70166dc8cb186a4298def98cc811d4d9eb405
SSDEEP

12288:1EkCdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsUBga/77395Ya:1EkCdxte/80jYLT3U1jfsWaz737R/UQ

Score

10^/10

Malware Config

Extracted

Family

netwire

C2

update92.publicvm.com:2020

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
1992
registry_autorun
false
use_mutex
false

Targets

- Target
  
  add5d7ea43e8d2e4ca5334fc8df769f9
- Size
  
  1008KB
- MD5
  
  add5d7ea43e8d2e4ca5334fc8df769f9
- SHA1
  
  632b823fe500f8adc8511b5371e6da697cdbbe08
- SHA256
  
  da4e9c5b477efe56f29cacaef8591eef0b175829c6d1cbe4687b2ecf4174d267
- SHA512
  
  f50de4eacfd94921a8566a601812a21671c613fe0fb917b18026c0f2744b2f58c45102f61a7a2783f519cc1386a70166dc8cb186a4298def98cc811d4d9eb405
- SSDEEP
  
  12288:1EkCdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsUBga/77395Ya:1EkCdxte/80jYLT3U1jfsWaz737R/UQ
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Blocklisted process makes network request
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

NetWire RAT payload

Blocklisted process makes network request

Drops startup file

Executes dropped EXE

Enumerates connected drives

AutoIT Executable

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2