netwire | 8c497d2b4423312e13756f0cddda5c1d538424cadd673808921fbf24ea34d489 | Triage

Submit
Reports

Overview

overview

Static

static

3

e9b94cae93...85.exe

windows7-x64

e9b94cae93...85.exe

windows10-2004-x64

Sharing

General

Target

e9b94cae938b5549cc9645b0e15337bc0ff894b9413305351937cf7831347d85.zip
Size

948KB
Sample

240402-qjjs3sbd42
MD5

34687b2b2d232f832d4b86e880dd479d
SHA1

77989914fabbfc2a114dae0d4289f2ee4ce8cb1d
SHA256

8c497d2b4423312e13756f0cddda5c1d538424cadd673808921fbf24ea34d489
SHA512

b13af070f1e81c1679e57098c0014695acdc97cd6299161077c705c75e180125047c715a43a3fbf19e3f1c06e95eac0144afb8ec57f320217cc2d0cea5088f79
SSDEEP

24576:dNqvIEn4C1ndusqabWK61UaOR9I+EAUF6idX:iIEn56VK6U21vdX

Score

10^/10

netwire zgrat botnet persistence rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

e9b94cae938b5549cc9645b0e15337bc0ff894b9413305351937cf7831347d85.exe

Resource

win7-20240215-en

netwire zgrat botnet persistence rat stealer

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

e9b94cae938b5549cc9645b0e15337bc0ff894b9413305351937cf7831347d85.exe

Resource

win10v2004-20240226-en

netwire zgrat botnet persistence rat stealer

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

zekeriyasolek44.duckdns.org:3102

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Valentine End
install_path
%Windows%\Windows DataPoint\Windows Data Start.exe
lock_executable
false
mutex
Windows
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Targets

- Target
  
  e9b94cae938b5549cc9645b0e15337bc0ff894b9413305351937cf7831347d85.exe
- Size
  
  1.0MB
- MD5
  
  9e3dac5c792d10815c94ae9474c93aa8
- SHA1
  
  da3ffcfa7c41e842ea80548105fac93252149550
- SHA256
  
  e9b94cae938b5549cc9645b0e15337bc0ff894b9413305351937cf7831347d85
- SHA512
  
  69fe825e8c41cdc852407eb2d396344341ceeabcec2edb0bebe269245ca305796975a88d81d557b5cde3fe84c235fb4c26bbad60541b19709ede1240387c956b
- SSDEEP
  
  24576:bgky9IIScJ+HlZwRqm4QkoWp2xoKkcrETLwWmAae0:b7LwRqm48Wp2+KkcowWmAa
Score

10^/10

netwire zgrat botnet persistence rat stealer
- Detect ZGRat V1
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirezgratbotnetpersistenceratstealer

behavioral2

netwirezgratbotnetpersistenceratstealer

© 2018-2025

Terms | Privacy