netwire | 3a6d5150486d015dfa8916607c7f2f0bdd0ddd97fe4b11f15afecc40eab87a5f | Triage

Submit
Reports

Overview

overview

Static

static

3

193d1bb9c6...18.exe

windows7-x64

193d1bb9c6...18.exe

windows10-2004-x64

Sharing

General

Target

193d1bb9c609ef883a556d3c8c3e789b_JaffaCakes118
Size

503KB
Sample

240505-zrv1radg4s
MD5

193d1bb9c609ef883a556d3c8c3e789b
SHA1

a6aa05f46170ab543f9122f043cf3b28fccb871c
SHA256

3a6d5150486d015dfa8916607c7f2f0bdd0ddd97fe4b11f15afecc40eab87a5f
SHA512

44631124a67e948f1ed0d71250837aaaedc7f571e3c607e2536aa0ac66700e416c43be97bd2124a3c613d955925c182027f051d6785ee44510e9c6af74862507
SSDEEP

6144:51StmT+sbAyX58ZPCVuif1StmT+sbAyX58ZPCVuiu+mKCJ90D+Y7a0h66549:58yIy581Qv8yIy581QS/w49

Score

10^/10

netwire zgrat agilenet botnet persistence rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

193d1bb9c609ef883a556d3c8c3e789b_JaffaCakes118.exe

Resource

win7-20240221-en

netwire zgrat agilenet botnet persistence rat stealer

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

193d1bb9c609ef883a556d3c8c3e789b_JaffaCakes118.exe

Resource

win10v2004-20240419-en

netwire zgrat agilenet botnet persistence rat stealer

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

79.172.242.33:4068

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Elibee88
registry_autorun
false
use_mutex
false

Targets

- Target
  
  193d1bb9c609ef883a556d3c8c3e789b_JaffaCakes118
- Size
  
  503KB
- MD5
  
  193d1bb9c609ef883a556d3c8c3e789b
- SHA1
  
  a6aa05f46170ab543f9122f043cf3b28fccb871c
- SHA256
  
  3a6d5150486d015dfa8916607c7f2f0bdd0ddd97fe4b11f15afecc40eab87a5f
- SHA512
  
  44631124a67e948f1ed0d71250837aaaedc7f571e3c607e2536aa0ac66700e416c43be97bd2124a3c613d955925c182027f051d6785ee44510e9c6af74862507
- SSDEEP
  
  6144:51StmT+sbAyX58ZPCVuif1StmT+sbAyX58ZPCVuiu+mKCJ90D+Y7a0h66549:58yIy581Qv8yIy581QS/w49
Score

10^/10

netwire zgrat agilenet botnet persistence rat stealer
- Detect ZGRat V1
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

netwirezgratagilenetbotnetpersistenceratstealer

behavioral2

netwirezgratagilenetbotnetpersistenceratstealer

© 2018-2024

Terms | Privacy