netwire | 1b237b3ab8599d30b0fd3000049e5a6b7b2fde1dc6befa4a1929033d83533bd2 | Triage

Submit
Reports

Overview

overview

Static

static

3

894680380-...23.exe

windows7-x64

894680380-...23.exe

windows10-2004-x64

Sharing

General

Target

046bf1870416a2ea4108d3809fcdfda514663aa9fabd74b88f78c7e332eb397d.zip
Size

790KB
Sample

240402-qjdxtsbd28
MD5

ccee184f719e18e696b28571c0adf6f1
SHA1

e94d555d306dd1c92969a7cbe75f8b1aa20fb9e3
SHA256

1b237b3ab8599d30b0fd3000049e5a6b7b2fde1dc6befa4a1929033d83533bd2
SHA512

abe8a86568080b776920b8b20f63b03a278a0e33a46f25a56f165abc435fe51f32f4e1d9395b9419a1c7e204f2b727866377df45633703e42ff879424b820bc7
SSDEEP

12288:eZRu797xOniXY5BvktnW6hrNifuxavClJ0LmB8dwYC16a4FGGohmjo:e67qiXY7ktn7uHCoLmB8dvA47vc

Score

10^/10

netwire zgrat botnet rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

894680380-ALVACO ORDER 2023.exe

Resource

win7-20240221-en

netwire zgrat botnet rat stealer

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

894680380-ALVACO ORDER 2023.exe

Resource

win10v2004-20240319-en

netwire zgrat botnet rat stealer

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:6826

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
kolabo123
registry_autorun
false
use_mutex
false

Targets

- Target
  
  894680380-ALVACO ORDER 2023.exe
- Size
  
  928KB
- MD5
  
  d616794167af5c88812aabaf65120fad
- SHA1
  
  ad1289875a05ba89cb6e10b08b95ee45bdf79d0f
- SHA256
  
  efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646
- SHA512
  
  8c2211e1472c53863d9c0bed2baf03c6ea2dd9b568480cee909a4fa157c229e3e651afc673168304bdfa875bf0eb056896dbb3906e1d66dcc8b23e4e075bceee
- SSDEEP
  
  24576:Jg7gUMoMnm9cU9VHb5Z763rs7u8BeV67s7nCrt8dB:vWMnGcU95nAsyTKug+
Score

10^/10

netwire zgrat botnet rat stealer
- Detect ZGRat V1
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirezgratbotnetratstealer

behavioral2

netwirezgratbotnetratstealer

© 2018-2025

Terms | Privacy