netwire | 7ae486a4a27e98371227d93d73864bfff7ace8a2e87130b0915466c8ab845416 | Triage

Sharing

General

Target

3c89d6a3627be971f8719ba540a05d5f_JaffaCakes118
Size

1023KB
Sample

240513-zraptaea39
MD5

3c89d6a3627be971f8719ba540a05d5f
SHA1

163c97a6b6b77438481a6ff67ac1aadfbc9a870b
SHA256

7ae486a4a27e98371227d93d73864bfff7ace8a2e87130b0915466c8ab845416
SHA512

99e1805558cbd1de4261b8a7ea9bc6af59abddfa57dd11f9e0891073a5db1462df60d6f89fcaa464add62141cd91138064cc3bdb7b80aa16a2916d1204c93009
SSDEEP

24576:M7lMVei/oEA0v9fRpQIgKJwsPfKQUP/6a8VTv+5KKSQMFQF+:klMVeQoEA0v9fRqBawsnTUK3Vj2KnQMX

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

tats2lou.ddns.net:3122

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Targets

- Target
  
  Documents.scr
- Size
  
  1.1MB
- MD5
  
  593aeac80c036d5c582b7401ebea4bee
- SHA1
  
  4440e909d855dc00a9b488bd066d4677e3258d52
- SHA256
  
  0686b879b7202d29274f7d6cc2e1a46beef12a3cc831cccbae97ddd96218d809
- SHA512
  
  f0c3ca04a3b0a3cb56e06dee182fadb52f6de2eb1dfec8a53337bbca7c365a17e088d3ba3f74c756f51a60ddd5d6f0b0d2e07c37f0c2bcb96764267ad5b6697d
- SSDEEP
  
  24576:6NA3R5drXLmpdOA0NXfvhQIMmJwCPfKCUf/omu17h+hK+AQMBQFFGs7f:z5LmOA0NXfvyvWwCnjUu1F+KbQMBcFGK
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer