netwire | bc89eefe8b6e92ba8da2014e114cc6efb51744ea6198bcb75a0d47ae50f2f576 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

efc5c94996...46.exe

windows7-x64

efc5c94996...46.exe

windows10-2004-x64

Sharing

General

Target

bc89eefe8b6e92ba8da2014e114cc6efb51744ea6198bcb75a0d47ae50f2f576
Size

786KB
Sample

240417-qa2mjage44
MD5

f9b31b7359c984528b8539cd2310bfd5
SHA1

65145efb30ba7fe1fceb745f56c41d90e106f622
SHA256

bc89eefe8b6e92ba8da2014e114cc6efb51744ea6198bcb75a0d47ae50f2f576
SHA512

9382f02b82b3bece7a090bdbc89b1d3b84a5dabdca49fd97bfcf6b32dec3527efa1b8b419cb45efdd36e07743211043dd1e4a393387d81700617a237f10b1506
SSDEEP

24576:bc/3rODfl+epkHOJVkDkAX8UIK+/U6vA7DJZ9Ew:bg3rmQqkHJoUIK+c6vAJZew

Score

10^/10

netwire zgrat botnet rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646.exe

Resource

win7-20240221-en

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646.exe

Resource

win10v2004-20240412-en

netwire zgrat botnet rat stealer

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:6826

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
kolabo123
registry_autorun
false
use_mutex
false

Targets

- Target
  
  efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646.exe
- Size
  
  928KB
- MD5
  
  d616794167af5c88812aabaf65120fad
- SHA1
  
  ad1289875a05ba89cb6e10b08b95ee45bdf79d0f
- SHA256
  
  efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646
- SHA512
  
  8c2211e1472c53863d9c0bed2baf03c6ea2dd9b568480cee909a4fa157c229e3e651afc673168304bdfa875bf0eb056896dbb3906e1d66dcc8b23e4e075bceee
- SSDEEP
  
  24576:Jg7gUMoMnm9cU9VHb5Z763rs7u8BeV67s7nCrt8dB:vWMnGcU95nAsyTKug+
Score

10^/10

zgrat rat netwire botnet stealer
- Detect ZGRat V1
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

netwirezgratbotnetratstealer

© 2018-2025

Terms | Privacy