netwire | 47784ce6e7921afe4bb0022e1439c81376fe198a27586cce65c082d65408e120

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35927a59f7571ab1f6fb11e1717f0a66_JaffaCakes118.exe
Size

87KB
MD5

35927a59f7571ab1f6fb11e1717f0a66
SHA1

612f67bf7871417060e14fa510039dc9afebdac7
SHA256

47784ce6e7921afe4bb0022e1439c81376fe198a27586cce65c082d65408e120
SHA512

86a05fecaf42d2eeb8d92644e6f524bf376fc38ca795c31f587c97294f0e8029bcc9c9c42a384d870dc5dc1420d556742fc3a62d96774d83fe82a69c3c86d90a
SSDEEP

1536:Nuq+1rRSm9CPxk6BocyNJ4Qz7lAMul8RkDN5UEPV8aiSfSCJfHJbM:Nuq+1sm8Pxk6YlAMul8yDNpPVu

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

eyasdz.ddns.net:2323

Attributes

activex_autorun
true
activex_key
{L76G5SB7-C78O-5SFA-1RB6-0K3576N61051}
copy_executable
false
delete_original
true
host_id
HostId-aOy2su
keylogger_dir
C:\Users\Admin\AppData\Roaming\Logs\
lock_executable
true
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2388-2-0x0000000000400000-0x0000000000420000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{L76G5SB7-C78O-5SFA-1RB6-0K3576N61051}	35927a59f7571ab1f6fb11e1717f0a66_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{L76G5SB7-C78O-5SFA-1RB6-0K3576N61051}\StubPath = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\35927a59f7571ab1f6fb11e1717f0a66_JaffaCakes118.exe\""	35927a59f7571ab1f6fb11e1717f0a66_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\35927a59f7571ab1f6fb11e1717f0a66_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\35927a59f7571ab1f6fb11e1717f0a66_JaffaCakes118.exe"
1⤵
- Modifies Installed Components in the registry
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2388-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads