netwire | 169798f79c5f6cbcaeed9457aa0fc1b9a1bda38c01fe3bb3b75ab762f4a208e1 | Triage

Submit
Reports

Overview

overview

Static

static

3

6bd3a312c2...ac.exe

windows7-x64

6bd3a312c2...ac.exe

windows10-2004-x64

Sharing

General

Target

169798f79c5f6cbcaeed9457aa0fc1b9a1bda38c01fe3bb3b75ab762f4a208e1
Size

823KB
Sample

240417-qazsyage43
MD5

42f53ffe5b4e846fc2b7c161a3615d27
SHA1

49e8e0988da90b97a9a2e503d75926a19dc797a8
SHA256

169798f79c5f6cbcaeed9457aa0fc1b9a1bda38c01fe3bb3b75ab762f4a208e1
SHA512

a61563c4b70f2051d35fc81c7e4e26f398d33eb6dcacb19c8992dd858b006a7a37e84d95e2923d4274e734791365d658a41ff190cba8d334a57c640a2f90c653
SSDEEP

24576:nW2Bj+149q40J2Ml9eC4vMI+4wmQLCpzLH:djr9CA+914Eb4wBLCRj

Score

10^/10

netwire zgrat botnet persistence rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

6bd3a312c22fe9fa71fb2ace3f5ec6e8cdfc06a22a0d31f6bcb5896c083cc3ac.exe

Resource

win7-20240221-en

netwire zgrat botnet rat stealer

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

6bd3a312c22fe9fa71fb2ace3f5ec6e8cdfc06a22a0d31f6bcb5896c083cc3ac.exe

Resource

win10v2004-20240412-en

netwire zgrat botnet persistence rat stealer

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

zekeriyasolek44.duckdns.org:3102

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Valentine End
install_path
%Windows%\Windows DataPoint\Windows Data Start.exe
lock_executable
false
mutex
Windows
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Targets

- Target
  
  6bd3a312c22fe9fa71fb2ace3f5ec6e8cdfc06a22a0d31f6bcb5896c083cc3ac.exe
- Size
  
  948KB
- MD5
  
  8545b3c5f346723524e6dd29bfe64083
- SHA1
  
  e864f9c2d68edb928217325e5c8e8cc5eb86dc3f
- SHA256
  
  6bd3a312c22fe9fa71fb2ace3f5ec6e8cdfc06a22a0d31f6bcb5896c083cc3ac
- SHA512
  
  42fe1fbdd7ac210f331fd7da891c75509a8271bda0b6816facc4f8d6220fa51525d94d48a97e824e5d5ee4949309592324ab24a9b58a579e79d66aaf7d4cf696
- SSDEEP
  
  24576:Iky9IISJqTZPEeqJa5E7Om5Fi5EuyuqUc+3l9:Y2eoam5FS9q
Score

10^/10

netwire zgrat botnet rat stealer persistence
- Detect ZGRat V1
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

netwirezgratbotnetratstealer

behavioral2

netwirezgratbotnetpersistenceratstealer

© 2018-2024

Terms | Privacy