netwire | d44987e731d424763550dc9fff1fe5717591376162cb3e1aabd1820e71e78122 | Triage

Sharing

General

Target

1517ebc8b397e2dd6734146c98eb3052_JaffaCakes118
Size

177KB
Sample

240505-aeq4laga61
MD5

1517ebc8b397e2dd6734146c98eb3052
SHA1

9cdd6b2532227f40337035c9b5877934e5933024
SHA256

d44987e731d424763550dc9fff1fe5717591376162cb3e1aabd1820e71e78122
SHA512

4a7e2d1df8bd4b8778686f1f96fcb3a14937c59395ff7e70dfa735942f884e80e4b8a6326c2ce8ba10393e19d7a4b414d5e016edd8f7909cd038d689abbb0d3d
SSDEEP

3072:7JxMcrKT7SlP/baNKZrDDwzW57X2Dv1LVg1Y7TGC6IaHyvVVmG3DT:dtqjNKBDDbo161WiD0DD3

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

clients.enigmasolutions.xyz:54579

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
Client-%Rand%
install_path
%AppData%\Microsoft\MMC\rock.exe
keylogger_dir
%AppData%\msr\
lock_executable
false
offline_keylogger
true
password
\tx>N(6H`Om2k/cWJBp,""bUbAd1-0Mg
registry_autorun
true
startup_name
rocker
use_mutex
false

Targets

- Target
  
  1517ebc8b397e2dd6734146c98eb3052_JaffaCakes118
- Size
  
  177KB
- MD5
  
  1517ebc8b397e2dd6734146c98eb3052
- SHA1
  
  9cdd6b2532227f40337035c9b5877934e5933024
- SHA256
  
  d44987e731d424763550dc9fff1fe5717591376162cb3e1aabd1820e71e78122
- SHA512
  
  4a7e2d1df8bd4b8778686f1f96fcb3a14937c59395ff7e70dfa735942f884e80e4b8a6326c2ce8ba10393e19d7a4b414d5e016edd8f7909cd038d689abbb0d3d
- SSDEEP
  
  3072:7JxMcrKT7SlP/baNKZrDDwzW57X2Dv1LVg1Y7TGC6IaHyvVVmG3DT:dtqjNKBDDbo161WiD0DD3
Score

10^/10

netwire botnet rat stealer persistence
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetratstealer

behavioral2

netwirebotnetpersistenceratstealer