netwire | fc3b2a50352fab294532c5b5d47eabad3666ab1f9f1f0b93623ea04aa7900d63 | Triage

Submit
Reports

Overview

overview

Static

static

1

2d00003c0d...18.ps1

windows7-x64

7

2d00003c0d...18.ps1

windows10-2004-x64

Sharing

General

Target

2d00003c0d86798183486ea89dbc3c80_JaffaCakes118
Size

518KB
Sample

240510-denv1seh6s
MD5

2d00003c0d86798183486ea89dbc3c80
SHA1

444c4a01af009d7050497da80a5553a1ed55ee52
SHA256

fc3b2a50352fab294532c5b5d47eabad3666ab1f9f1f0b93623ea04aa7900d63
SHA512

9b885f8fe99f1d84ca461d2117e8baefed1d9cc9ea09b8066537b74792b98ffffbfd36fb7e237f823914e92067a8bbc6be1d289345010f3c8153e2ff3e635c9a
SSDEEP

12288:yJpB/QIVLIOZfLvoEdpMmjvevlkrlLBAZbIBHdhzh:yJpB/TLIOlLJpB

Score

10^/10

netwire agilenet botnet execution rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

2d00003c0d86798183486ea89dbc3c80_JaffaCakes118.ps1

Resource

win7-20240220-en

agilenet execution

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

2d00003c0d86798183486ea89dbc3c80_JaffaCakes118.ps1

Resource

win10v2004-20240226-en

netwire agilenet botnet execution rat stealer

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

kmzexport.duckdns.org:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-05net
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
ODEeiCTr
offline_keylogger
true
password
alaba3
registry_autorun
false
use_mutex
true

Targets

- Target
  
  2d00003c0d86798183486ea89dbc3c80_JaffaCakes118
- Size
  
  518KB
- MD5
  
  2d00003c0d86798183486ea89dbc3c80
- SHA1
  
  444c4a01af009d7050497da80a5553a1ed55ee52
- SHA256
  
  fc3b2a50352fab294532c5b5d47eabad3666ab1f9f1f0b93623ea04aa7900d63
- SHA512
  
  9b885f8fe99f1d84ca461d2117e8baefed1d9cc9ea09b8066537b74792b98ffffbfd36fb7e237f823914e92067a8bbc6be1d289345010f3c8153e2ff3e635c9a
- SSDEEP
  
  12288:yJpB/QIVLIOZfLvoEdpMmjvevlkrlLBAZbIBHdhzh:yJpB/TLIOlLJpB
Score

10^/10

agilenet execution netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agilenetexecution

behavioral2

netwireagilenetbotnetexecutionratstealer

© 2018-2024

Terms | Privacy