netwire | 8bf55016ba6177159c0747d3638934ba6063a5ebc62cc11807e6b066f50ad4f5 | Triage

Submit
Reports

Overview

overview

Static

static

3

0243af48ee...18.exe

windows7-x64

0243af48ee...18.exe

windows10-2004-x64

Sharing

General

Target

0243af48ee2048b33399f9c28ef60573_JaffaCakes118
Size

743KB
Sample

240427-dgf8ysae2z
MD5

0243af48ee2048b33399f9c28ef60573
SHA1

b821e1d5c27d4d9544ce7104f4beda5544c54b5c
SHA256

8bf55016ba6177159c0747d3638934ba6063a5ebc62cc11807e6b066f50ad4f5
SHA512

f5615e73cf1f82bca2e186853adcc92e7c6cf2c3e5f71046a58986d3279d695b07eef0ffc904db54bb9decc9ea24450cf877062481366628ceb35d1dd408b73e
SSDEEP

12288:+egKZUkFIEgHDQ9toe39h6XvK5JIallT4bM9+x4B60O2SprvvZhkVRJg9Q:+egKZUkFIEgHDKtoeD/JJrT4bEI0O2Y8

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

0243af48ee2048b33399f9c28ef60573_JaffaCakes118.exe

Resource

win7-20231129-en

netwire botnet persistence rat stealer

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

0243af48ee2048b33399f9c28ef60573_JaffaCakes118.exe

Resource

win10v2004-20240226-en

netwire botnet persistence rat stealer

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

kyelines.ddns.net:3465

Attributes

activex_autorun
true
activex_key
{6Y8K87H3-332D-HH14-Y518-5R514072P365}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
WtJimKxE
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
NetWire
use_mutex
true

Targets

- Target
  
  0243af48ee2048b33399f9c28ef60573_JaffaCakes118
- Size
  
  743KB
- MD5
  
  0243af48ee2048b33399f9c28ef60573
- SHA1
  
  b821e1d5c27d4d9544ce7104f4beda5544c54b5c
- SHA256
  
  8bf55016ba6177159c0747d3638934ba6063a5ebc62cc11807e6b066f50ad4f5
- SHA512
  
  f5615e73cf1f82bca2e186853adcc92e7c6cf2c3e5f71046a58986d3279d695b07eef0ffc904db54bb9decc9ea24450cf877062481366628ceb35d1dd408b73e
- SSDEEP
  
  12288:+egKZUkFIEgHDQ9toe39h6XvK5JIallT4bM9+x4B60O2SprvvZhkVRJg9Q:+egKZUkFIEgHDKtoeD/JJrT4bEI0O2Y8
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Modifies Installed Components in the registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2024

Terms | Privacy