netwire | 3a6d5150486d015dfa8916607c7f2f0bdd0ddd97fe4b11f15afecc40eab87a5f | Triage

Submit
Reports

Overview

overview

Static

static

3

193d1bb9c6...18.exe

windows7-x64

193d1bb9c6...18.exe

windows10-2004-x64

Sharing

General

Target

193d1bb9c609ef883a556d3c8c3e789b_JaffaCakes118
Size

503KB
Sample

240505-zrv1radg4s
MD5

193d1bb9c609ef883a556d3c8c3e789b
SHA1

a6aa05f46170ab543f9122f043cf3b28fccb871c
SHA256

3a6d5150486d015dfa8916607c7f2f0bdd0ddd97fe4b11f15afecc40eab87a5f
SHA512

44631124a67e948f1ed0d71250837aaaedc7f571e3c607e2536aa0ac66700e416c43be97bd2124a3c613d955925c182027f051d6785ee44510e9c6af74862507
SSDEEP

6144:51StmT+sbAyX58ZPCVuif1StmT+sbAyX58ZPCVuiu+mKCJ90D+Y7a0h66549:58yIy581Qv8yIy581QS/w49

Score

10^/10

netwire zgrat agilenet botnet persistence rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

193d1bb9c609ef883a556d3c8c3e789b_JaffaCakes118.exe

Resource

win7-20240221-en

netwire zgrat agilenet botnet persistence rat stealer

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

193d1bb9c609ef883a556d3c8c3e789b_JaffaCakes118.exe

Resource

win10v2004-20240419-en

netwire zgrat agilenet botnet persistence rat stealer

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

79.172.242.33:4068

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Elibee88
registry_autorun
false
use_mutex
false

Targets

- Target
  
  193d1bb9c609ef883a556d3c8c3e789b_JaffaCakes118
- Size
  
  503KB
- MD5
  
  193d1bb9c609ef883a556d3c8c3e789b
- SHA1
  
  a6aa05f46170ab543f9122f043cf3b28fccb871c
- SHA256
  
  3a6d5150486d015dfa8916607c7f2f0bdd0ddd97fe4b11f15afecc40eab87a5f
- SHA512
  
  44631124a67e948f1ed0d71250837aaaedc7f571e3c607e2536aa0ac66700e416c43be97bd2124a3c613d955925c182027f051d6785ee44510e9c6af74862507
- SSDEEP
  
  6144:51StmT+sbAyX58ZPCVuif1StmT+sbAyX58ZPCVuiu+mKCJ90D+Y7a0h66549:58yIy581Qv8yIy581QS/w49
Score

10^/10

netwire zgrat agilenet botnet persistence rat stealer
- Detect ZGRat V1
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirezgratagilenetbotnetpersistenceratstealer

behavioral2

netwirezgratagilenetbotnetpersistenceratstealer

© 2018-2024

Terms | Privacy