netwire | e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e | Triage

Submit
Reports

Overview

overview

Static

static

3

e1f43f3aa1...2e.exe

windows7-x64

e1f43f3aa1...2e.exe

windows10-2004-x64

Sharing

General

Target

e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e
Size

172KB
Sample

240325-1lzx7ahh67
MD5

c77a42c1744c454e28d0b962eccf8951
SHA1

fb1ec7b8e7c234531df577787026e72d4ded1d40
SHA256

e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e
SHA512

d78d1f1a37451c176b0f0fb132ea581599f062c03a2a3806f27afe2ef4f5216aee3dab939d3ff0bfee4e246b27178bfdcf5e4c7b638e01a48d274e814dea6dfc
SSDEEP

3072:KAx0uG+7EKz3oNCWQpEk5Z2d3qsjgjoWqBddRG1bkfM23nyj6Rh7fNch:r3T7E6oNFQSd39jgEWSjRw2R7f

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe

Resource

win7-20240221-en

netwire botnet persistence rat stealer

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e.exe

Resource

win10v2004-20240226-en

netwire botnet persistence rat stealer

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

87.106.76.212:8081

glassmex.no-ip.org:8081

loopsoup.no-ip.org:8081

Attributes

activex_autorun
false
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Adobe\Components\armsvc.exe
keylogger_dir
C:\Users\Admin\AppData\Roaming\Microsoft\Office\
lock_executable
true
mutex
CfqTWdpW
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
Adobe
use_mutex
true

Targets

- Target
  
  e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e
- Size
  
  172KB
- MD5
  
  c77a42c1744c454e28d0b962eccf8951
- SHA1
  
  fb1ec7b8e7c234531df577787026e72d4ded1d40
- SHA256
  
  e1f43f3aa18f4c82ce5454e0670d1f3effb8c7e66a88258983459a3d2668cb2e
- SHA512
  
  d78d1f1a37451c176b0f0fb132ea581599f062c03a2a3806f27afe2ef4f5216aee3dab939d3ff0bfee4e246b27178bfdcf5e4c7b638e01a48d274e814dea6dfc
- SSDEEP
  
  3072:KAx0uG+7EKz3oNCWQpEk5Z2d3qsjgjoWqBddRG1bkfM23nyj6Rh7fNch:r3T7E6oNFQSd39jgEWSjRw2R7f
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2025

Terms | Privacy