netwire | eb363346cfff4269e6496451ee6a22e696f343c239dfa93e4318c8d9eee640f2 | Triage

Sharing

General

Target

3b25677fa8107108e47bf97e9df675a6.bin
Size

131KB
Sample

240123-bl6cjafcb3
MD5

12a9ef510bdfba87977c18e6156237fc
SHA1

120812e55d26df43f4d10e910f7d0348c8ec26a5
SHA256

eb363346cfff4269e6496451ee6a22e696f343c239dfa93e4318c8d9eee640f2
SHA512

993ebf5d268ee73c380514ad97cbf54de57df0c32c89add9937ad92e495edbf9ab3414cc8e54e32cb8f3c2d7843d05e6ece477f241be4c045499135307a31e00
SSDEEP

3072:+wZxzvE+wAUVnSUR4+D/+CHHU6a2ndYI1dJzrqM9Js+tuyr:/zvE+wttS+hnU6a2dH1dJHhJsur

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

winx.xcapdatap.capetown:7390

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Jagz_$$$
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
P@55w0rd!
registry_autorun
false
use_mutex
false

Targets

- Target
  
  c14f7a70a3083113154ae0242fd0e14b4c54056cfdb419ec46f3e0471bf0827a.exe
- Size
  
  208KB
- MD5
  
  3b25677fa8107108e47bf97e9df675a6
- SHA1
  
  fb4c79542cf166a2f7b099b65c43db58b6a01e68
- SHA256
  
  c14f7a70a3083113154ae0242fd0e14b4c54056cfdb419ec46f3e0471bf0827a
- SHA512
  
  71010fcba0fc1973b642332b25eda77eeda517c819e203b683fe005c3f5c332a86a7bd5fa5150e34f300577ec8404eac7e66ef3c91542ae90bb4bfd857edc280
- SSDEEP
  
  3072:2H4l3KCxknsqA36giLi9YiE8qoX4Ot6QN05XRu+/glGMs4u8jQHVVy0b:2HCLqs12Li9YhqthN0RGFs+QH
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer