netwire

General

Target

a6d6cfb6bb98d96dc1fdc43def2fbb847d416bce908c4d68790d50fac9a986e3
Size

482KB
Sample

240226-1zsq2ahh6s
MD5

535ddefbc9a7f3bb8decc1705b76d42f
SHA1

73b4d446faa4862fef3623c4f404b26941e9ac6c
SHA256

a6d6cfb6bb98d96dc1fdc43def2fbb847d416bce908c4d68790d50fac9a986e3
SHA512

f0ff010ad37bf3b21a7d038abfe4d2ade41420737f669fbaae0ba9d81e6150a8053383301bca62d5028298eb4167168e0fc5f1d425b8fbeb8a077cd0c65baeea
SSDEEP

6144:uPpJYbryZGXSR/NxwLv1PWNemY2BzOpGZzN28qRdVlZ3VmE:uPpibryAXSR/Nav1WNemYWRaV

Score

10^/10

Malware Config

Extracted

Family

netwire

C2

194.147.140.14:4550

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
THANA
install_path
%AppData%\Install\Host.exe
keylogger_dir
TestLink.lnk
lock_executable
false
offline_keylogger
false
password
DrvbK8mdyY4F6Uh
registry_autorun
false
use_mutex
false

Targets

- Target
  
  a6d6cfb6bb98d96dc1fdc43def2fbb847d416bce908c4d68790d50fac9a986e3
- Size
  
  482KB
- MD5
  
  535ddefbc9a7f3bb8decc1705b76d42f
- SHA1
  
  73b4d446faa4862fef3623c4f404b26941e9ac6c
- SHA256
  
  a6d6cfb6bb98d96dc1fdc43def2fbb847d416bce908c4d68790d50fac9a986e3
- SHA512
  
  f0ff010ad37bf3b21a7d038abfe4d2ade41420737f669fbaae0ba9d81e6150a8053383301bca62d5028298eb4167168e0fc5f1d425b8fbeb8a077cd0c65baeea
- SSDEEP
  
  6144:uPpJYbryZGXSR/NxwLv1PWNemY2BzOpGZzN28qRdVlZ3VmE:uPpibryAXSR/Nav1WNemYWRaV
Score

10^/10

netwire purecrypter botnet downloader loader stealer
- Detect PureCrypter injector
  loader
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- PureCrypter
  PureCrypter is a .NET malware loader first seen in early 2021.
  loader downloader purecrypter
- Detects executables packed with SmartAssembly
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect PureCrypter injector

PureCrypter

Detects executables packed with SmartAssembly

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2