netwire

General

Target

53a4b209d81b45c67cd791c1a429df21_JaffaCakes118
Size

266KB
Sample

240518-jhvevsaa67
MD5

53a4b209d81b45c67cd791c1a429df21
SHA1

c157e1beae589b519e559fc5a78faf6d5b0796cd
SHA256

0fb776dfd1dd66182b61bbe38e46c84576ccd1aacb50cf5d4756309f140182df
SHA512

f31b157e15d8eed6a41d5538707480a864464f22c80d726893cd45e1f8319eba23b8e9dfb54f0fd97696bb6746220ba7feb5e22970d2ded1c6d572ab08b3e3e0
SSDEEP

6144:LVaox2YpFfaF18xubk+NNlSEg4ryfzAjCVkQnZwLlTixxIf8kPdRxuIZakO:L1xlzOk+QEUEz8wLlgx2Txuh

Score

10^/10

Malware Config

Extracted

Family

netwire

C2

sadsix.sytes.net:4454

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Avengers11
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Dtk/8eaZ`^
registry_autorun
false
use_mutex
false

Targets

- Target
  
  Purchase Order No.20160612.pdf.exe
- Size
  
  379KB
- MD5
  
  f8b90e7d462b33056bac96625581cf4d
- SHA1
  
  f924cda374887e26d50432583f1858423fc05f95
- SHA256
  
  e9e6244acfbfa9b85b1fdfcd33edc0036469045f7632ebc8ac581949905cae74
- SHA512
  
  1b046adad63b86407a339d032c79fd23b7724e95df01234f22e587fc235dcbb7e6e7aa365dca564a2bb9461baac9dafd522583ce0c6d1888d06084d2daf0b8cc
- SSDEEP
  
  6144:QSUomEUi3+sMZ3xEYIrQ3XF43K4o76rMfzAjbf4nZQLtDixxsf8kPtRxuIja4W:BUomEFRu3xEPE2MVEnfkQLtwxKzxu3
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

NetWire RAT payload

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2