netwire | 2566d37d333be3c5a3492e43d3063693d871da852f3d205e677720221e90926f | Triage

Submit
Reports

Overview

overview

Static

static

1

1c97bcdc6e...18.exe

windows7-x64

1c97bcdc6e...18.exe

windows10-2004-x64

Sharing

General

Target

1c97bcdc6e17cfb15b2af3195d8b1483_JaffaCakes118
Size

307KB
Sample

240506-p6z8xacc3t
MD5

1c97bcdc6e17cfb15b2af3195d8b1483
SHA1

db90a3c91ea56ff28cab23102ad888ab4f948862
SHA256

2566d37d333be3c5a3492e43d3063693d871da852f3d205e677720221e90926f
SHA512

4d74c4a5661d6094cd65af61c3817f6111d79bbe50237275b0e3472d273beb82be2946ce8c1785a04a5d34d649655ef08f6ce3d59a57c9138e076e2f3ee8ef0e
SSDEEP

6144:lI5f9bJi0dHALTwN6yn60jhl91B1bFKOI4WytGJm05kYlBB:lI5VbZALTRynvvLbFKJytCD

Score

10^/10

netwire botnet persistence rat stealer upx

Static task

static1

Behavioral task

behavioral1

Sample

1c97bcdc6e17cfb15b2af3195d8b1483_JaffaCakes118.exe

Resource

win7-20240220-en

netwire botnet persistence rat stealer upx

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

1c97bcdc6e17cfb15b2af3195d8b1483_JaffaCakes118.exe

Resource

win10v2004-20240226-en

netwire botnet persistence rat stealer upx

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

mommyreal.ddns.net:9595

Attributes

activex_autorun
false
copy_executable
false
delete_original
true
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
true
offline_keylogger
true
password
mywill12
registry_autorun
true
startup_name
securityscan
use_mutex
false

Targets

- Target
  
  1c97bcdc6e17cfb15b2af3195d8b1483_JaffaCakes118
- Size
  
  307KB
- MD5
  
  1c97bcdc6e17cfb15b2af3195d8b1483
- SHA1
  
  db90a3c91ea56ff28cab23102ad888ab4f948862
- SHA256
  
  2566d37d333be3c5a3492e43d3063693d871da852f3d205e677720221e90926f
- SHA512
  
  4d74c4a5661d6094cd65af61c3817f6111d79bbe50237275b0e3472d273beb82be2946ce8c1785a04a5d34d649655ef08f6ce3d59a57c9138e076e2f3ee8ef0e
- SSDEEP
  
  6144:lI5f9bJi0dHALTwN6yn60jhl91B1bFKOI4WytGJm05kYlBB:lI5VbZALTRynvvLbFKJytCD
Score

10^/10

netwire botnet persistence rat stealer upx
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealerupx

behavioral2

netwirebotnetpersistenceratstealerupx

© 2018-2025

Terms | Privacy