netwire | 1143ff1525cde3881a8eece914059af66ce9f42da386d0ea586453cbfe33ac35 | Triage

Submit
Reports

Overview

overview

Static

static

1

17432fd27e...18.vbs

windows7-x64

17432fd27e...18.vbs

windows10-2004-x64

Sharing

General

Target

17432fd27e8b58a37f0dc87f187fd187_JaffaCakes118
Size

1.5MB
Sample

240505-mjqd3saf57
MD5

17432fd27e8b58a37f0dc87f187fd187
SHA1

d075ff4fa6d0eaa61bf39e909c60ccfa6cedf879
SHA256

1143ff1525cde3881a8eece914059af66ce9f42da386d0ea586453cbfe33ac35
SHA512

0a0e49dee8ca6955645726bcb05174f8641a9045632a3b012f8eeef1392d61604eb17f3fdc775a87c569800f2faf2f01d19efdd90a553347a689baaa61921b1c
SSDEEP

24576:iGO83g+h1oWAYtrHbuN0ARrV4QQqxPF80Dz:VvuNVxGQPpOez

Score

10^/10

netwire xpertrat work botnet evasion rat stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

17432fd27e8b58a37f0dc87f187fd187_JaffaCakes118.vbs

Resource

win7-20240220-en

netwire xpertrat work botnet evasion rat stealer trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

17432fd27e8b58a37f0dc87f187fd187_JaffaCakes118.vbs

Resource

win10v2004-20240419-en

netwire xpertrat work botnet evasion rat stealer trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

manuel3.publicvm.com:3366

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Mine Netwire
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
TbSYfUnj
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Work

C2

127.0.0.1:666

manuel3.publicvm.com:1999

Mutex

E4R7O6I8-U116-J8G5-I0H0-K3H6U8T885I2

Targets

- Target
  
  17432fd27e8b58a37f0dc87f187fd187_JaffaCakes118
- Size
  
  1.5MB
- MD5
  
  17432fd27e8b58a37f0dc87f187fd187
- SHA1
  
  d075ff4fa6d0eaa61bf39e909c60ccfa6cedf879
- SHA256
  
  1143ff1525cde3881a8eece914059af66ce9f42da386d0ea586453cbfe33ac35
- SHA512
  
  0a0e49dee8ca6955645726bcb05174f8641a9045632a3b012f8eeef1392d61604eb17f3fdc775a87c569800f2faf2f01d19efdd90a553347a689baaa61921b1c
- SSDEEP
  
  24576:iGO83g+h1oWAYtrHbuN0ARrV4QQqxPF80Dz:VvuNVxGQPpOez
Score

10^/10

netwire xpertrat work botnet evasion rat stealer trojan
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- XpertRAT
  XpertRAT is a remote access trojan with various capabilities.
  rat xpertrat
- XpertRAT Core payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirexpertratworkbotnetevasionratstealertrojan

behavioral2

netwirexpertratworkbotnetevasionratstealertrojan

© 2018-2024

Terms | Privacy