netwire

General

Target

6b588f10b8814fce208026eed63ff8b0_JaffaCakes118
Size

476KB
Sample

240401-h1fhzsgf79
MD5

6b588f10b8814fce208026eed63ff8b0
SHA1

7074e305ab66eac5dc2ec8bb99282c00bc5bdfb7
SHA256

e37779b6dd136ffc0248d95fcc6a5f5120d8cce48c5b39c56744f0f660c593de
SHA512

92663f54c80ef082d2bdb59e7a1735e441ce51dc0ebf0c2b3d4a7fd4021ccb1a04242299f30b6fbee4a6f43e20f0c875bbda2afc5bd80a6d2ebd128be198feb5
SSDEEP

6144:iYY7Vh8F5RbioPIUsI192HNl+w9GwAUIV52nBmGjUjkiEiLLeeLubfiVUEJvYgQ1:ipJh4ooVZ9izGwA952nBZ2OifelOJj

Score

10^/10

Malware Config

Extracted

Family

netwire

C2

william1979.ddns.net:4417

mathkros79.ddns.net:4417

engine79.ddns.net:4417

chrisle79.ddns.net:4417

jacknop79.ddns.net:4417

smath79.ddns.net:4417

whatis79.ddns.net:4417

goodgt79.ddns.net:4417

bonding79.ddns.net:4417

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Oct 2017
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password2$
registry_autorun
false
use_mutex
false

Targets

- Target
  
  6b588f10b8814fce208026eed63ff8b0_JaffaCakes118
- Size
  
  476KB
- MD5
  
  6b588f10b8814fce208026eed63ff8b0
- SHA1
  
  7074e305ab66eac5dc2ec8bb99282c00bc5bdfb7
- SHA256
  
  e37779b6dd136ffc0248d95fcc6a5f5120d8cce48c5b39c56744f0f660c593de
- SHA512
  
  92663f54c80ef082d2bdb59e7a1735e441ce51dc0ebf0c2b3d4a7fd4021ccb1a04242299f30b6fbee4a6f43e20f0c875bbda2afc5bd80a6d2ebd128be198feb5
- SSDEEP
  
  6144:iYY7Vh8F5RbioPIUsI192HNl+w9GwAUIV52nBmGjUjkiEiLLeeLubfiVUEJvYgQ1:ipJh4ooVZ9izGwA952nBZ2OifelOJj
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

NetWire RAT payload

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2