netwire | e1925bde1e23a227a36281f793625ac6b038020a16d4f67c85b500b6c16cbcc5 | Triage

Sharing

General

Target

c14f7a70a3083113154ae0242fd0e14b4c54056cfdb419ec46f3e0471bf0827a.zip
Size

131KB
Sample

240402-qx7r3abh4s
MD5

01a414e2408beb1627edb1a2dbd1ffb6
SHA1

c39b9b597ab23a0876785b431f0b3d0a28de8eba
SHA256

e1925bde1e23a227a36281f793625ac6b038020a16d4f67c85b500b6c16cbcc5
SHA512

4daf84ce2dc3f1a3dc77547ebd1c85bc78c289fad82353ee004ad232d9a8544180a3a8f758af74a729d9f00f566a9f5633714b21e2dbc507b6d343f63973171c
SSDEEP

3072:TDG8668KHDFUixHT8+YENr6/2PceYL1ZJd67MBqFNl7:ew8GDF7xgYqP64Bqd7

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

winx.xcapdatap.capetown:7390

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Jagz_$$$
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
P@55w0rd!
registry_autorun
false
use_mutex
false

Targets

- Target
  
  c14f7a70a3083113154ae0242fd0e14b4c54056cfdb419ec46f3e0471bf0827a.exe
- Size
  
  208KB
- MD5
  
  3b25677fa8107108e47bf97e9df675a6
- SHA1
  
  fb4c79542cf166a2f7b099b65c43db58b6a01e68
- SHA256
  
  c14f7a70a3083113154ae0242fd0e14b4c54056cfdb419ec46f3e0471bf0827a
- SHA512
  
  71010fcba0fc1973b642332b25eda77eeda517c819e203b683fe005c3f5c332a86a7bd5fa5150e34f300577ec8404eac7e66ef3c91542ae90bb4bfd857edc280
- SSDEEP
  
  3072:2H4l3KCxknsqA36giLi9YiE8qoX4Ot6QN05XRu+/glGMs4u8jQHVVy0b:2HCLqs12Li9YhqthN0RGFs+QH
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer