netwire | 423912db90614b34b7205595d44ed735837d451c451d3bc96ddaca14f6e5275b | Triage

Sharing

General

Target

2ff1ea83004a85f7130028e60ecd60c5_JaffaCakes118
Size

148KB
Sample

240510-tlb3sshc69
MD5

2ff1ea83004a85f7130028e60ecd60c5
SHA1

5603d8e37046c0239e7689b02e301eafd828ed5f
SHA256

423912db90614b34b7205595d44ed735837d451c451d3bc96ddaca14f6e5275b
SHA512

b977e6686832ed12740a7b41a5c8eb9896d87ee8163023dbca8ee5c3a884c2e20df5c626f2bfffe13254125eb6a1acf09b8a247eea44aaa1ee2e90a34cad2f92
SSDEEP

3072:0XFgYEAsB4+Cb3iiDUCcmE90rvPkGK+drYYMRFfS:0XGYEVat3iiDUCcf+rEG5uzRFf

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

216.170.114.99:42221

79.134.225.88:54361

Attributes

activex_autorun
false
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
rpQkdcFx
offline_keylogger
true
password
Bt4j%'6>hQ~X
registry_autorun
true
startup_name
System-Updates
use_mutex
true

Targets

- Target
  
  2ff1ea83004a85f7130028e60ecd60c5_JaffaCakes118
- Size
  
  148KB
- MD5
  
  2ff1ea83004a85f7130028e60ecd60c5
- SHA1
  
  5603d8e37046c0239e7689b02e301eafd828ed5f
- SHA256
  
  423912db90614b34b7205595d44ed735837d451c451d3bc96ddaca14f6e5275b
- SHA512
  
  b977e6686832ed12740a7b41a5c8eb9896d87ee8163023dbca8ee5c3a884c2e20df5c626f2bfffe13254125eb6a1acf09b8a247eea44aaa1ee2e90a34cad2f92
- SSDEEP
  
  3072:0XFgYEAsB4+Cb3iiDUCcmE90rvPkGK+drYYMRFfS:0XGYEVat3iiDUCcf+rEG5uzRFf
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer