netwire | 65af1a9718f5cf882f79e082f3ac8121df3e21d135372dceabe434efeb3882a5 | Triage

Sharing

General

Target

5b3721eddf6a88a8f0aaff6028e9583f_JaffaCakes118
Size

4.1MB
Sample

240519-ytvmbsfd42
MD5

5b3721eddf6a88a8f0aaff6028e9583f
SHA1

5b7147565513c79e94693d46b80a30907071345b
SHA256

65af1a9718f5cf882f79e082f3ac8121df3e21d135372dceabe434efeb3882a5
SHA512

6ce34ebb12af309abdaae8eb6c8d627aa8cb1bdfa94a253e9cd11a8529dd240b55847207a5b1fb040897908bc3c798f52557394b8798c19ef8f26f006af42880
SSDEEP

24576:ZwjAJlKf5XQY36WOFRQdZIp2FxvNEtXcPCl99Sr5zUPGLG5SvAMZAMg:oMlKf5XQY3vObYJxvW9cPy99SNzY

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

sefb.hopto.org:2035

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
flit
install_path
%AppData%\flit\flit.exe
keylogger_dir
%AppData%\flit\
lock_executable
true
mutex
EwlohRSK
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
flit
use_mutex
true

Targets

- Target
  
  5b3721eddf6a88a8f0aaff6028e9583f_JaffaCakes118
- Size
  
  4.1MB
- MD5
  
  5b3721eddf6a88a8f0aaff6028e9583f
- SHA1
  
  5b7147565513c79e94693d46b80a30907071345b
- SHA256
  
  65af1a9718f5cf882f79e082f3ac8121df3e21d135372dceabe434efeb3882a5
- SHA512
  
  6ce34ebb12af309abdaae8eb6c8d627aa8cb1bdfa94a253e9cd11a8529dd240b55847207a5b1fb040897908bc3c798f52557394b8798c19ef8f26f006af42880
- SSDEEP
  
  24576:ZwjAJlKf5XQY36WOFRQdZIp2FxvNEtXcPCl99Sr5zUPGLG5SvAMZAMg:oMlKf5XQY3vObYJxvW9cPy99SNzY
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer