netwire | e07abb182a17f0aa383972c376849fd46a74f105a2f2c5f949441028a66c5538 | Triage

Submit
Reports

Overview

overview

Static

static

5

fd71393eda...18.exe

windows7-x64

fd71393eda...18.exe

windows10-2004-x64

Sharing

General

Target

fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118
Size

852KB
Sample

240420-xv42qaff48
MD5

fd71393eda58df36ee3618f526ffb3e0
SHA1

0d1a0cd0660099f34f8620dd7b338b0b6ab3671d
SHA256

e07abb182a17f0aa383972c376849fd46a74f105a2f2c5f949441028a66c5538
SHA512

b22aed4b27466d9bde1236bf7643e8f81c148e9f4e7bce92b93abb9513b61935bd4fdb6648ffa5338f395f38a90fbbd11fb410dd80f82755093c5a15dceaadd3
SSDEEP

24576:iRmJkcoQricOIQxiZY1iaSAD00jSORI6Ttm8:3JZoQrbTFZY1iaSADmO

Score

10^/10

netwire botnet persistence rat stealer upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe

Resource

win7-20240220-en

netwire botnet rat stealer upx

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe

Resource

win10v2004-20240412-en

netwire botnet persistence rat stealer upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

benti.ddns.net:3350

Attributes

activex_autorun
true
activex_key
{2FMC35P2-J0LB-143R-SR61-UGN00XFQ045P}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
Adobe
use_mutex
false

Targets

- Target
  
  fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118
- Size
  
  852KB
- MD5
  
  fd71393eda58df36ee3618f526ffb3e0
- SHA1
  
  0d1a0cd0660099f34f8620dd7b338b0b6ab3671d
- SHA256
  
  e07abb182a17f0aa383972c376849fd46a74f105a2f2c5f949441028a66c5538
- SHA512
  
  b22aed4b27466d9bde1236bf7643e8f81c148e9f4e7bce92b93abb9513b61935bd4fdb6648ffa5338f395f38a90fbbd11fb410dd80f82755093c5a15dceaadd3
- SSDEEP
  
  24576:iRmJkcoQricOIQxiZY1iaSAD00jSORI6Ttm8:3JZoQrbTFZY1iaSADmO
Score

10^/10

netwire botnet rat stealer upx persistence
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetratstealerupx

behavioral2

netwirebotnetpersistenceratstealerupx

© 2018-2025

Terms | Privacy