netwire | c8f71c7078e8667e79d827762ad65bcbc311195da00e87df782a30424e6f93af | Triage

Sharing

General

Target

acb2840b575bd538efdd76ada3a603a2_JaffaCakes118
Size

1022KB
Sample

240615-dmrxmsxdjf
MD5

acb2840b575bd538efdd76ada3a603a2
SHA1

e871d22c8443eb556e897d18d77e6e8ead667cce
SHA256

c8f71c7078e8667e79d827762ad65bcbc311195da00e87df782a30424e6f93af
SHA512

e938e85070bc9e30cb3a9690c35dea55da4389cb30621c163f35170570ee6a245f2b2b1376bcdfaf3e070b83a9cb3cd72cc5639e19bd12247903abd547109a75
SSDEEP

1536:4Wp4doeVY9nzccb43+o/20t5Yrpq/nvR803E58XK5MhGJ/fYWCJzw8YeEvi7gaF3:rGoxzA3+o/20t5YIvHuImoP0vtuF4q

Score

10^/10

netwire njrat hacked botnet evasion persistence rat stealer trojan

Malware Config

Extracted

Family

netwire

C2

91.192.100.3:1199

Attributes

activex_autorun
true
activex_key
{0841AJ8U-8PI0-YXLN-18O6-2786QVLQ43VL}
copy_executable
true
delete_original
false
host_id
Bushbush
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
QKiFRiUe
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
Avast
use_mutex
true

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

91.192.100.3:1406

Mutex

b6d8b4f8ec6a24a915c0dbdb3f24d168

Attributes

reg_key
b6d8b4f8ec6a24a915c0dbdb3f24d168
splitter
|'|'|

Targets

- Target
  
  acb2840b575bd538efdd76ada3a603a2_JaffaCakes118
- Size
  
  1022KB
- MD5
  
  acb2840b575bd538efdd76ada3a603a2
- SHA1
  
  e871d22c8443eb556e897d18d77e6e8ead667cce
- SHA256
  
  c8f71c7078e8667e79d827762ad65bcbc311195da00e87df782a30424e6f93af
- SHA512
  
  e938e85070bc9e30cb3a9690c35dea55da4389cb30621c163f35170570ee6a245f2b2b1376bcdfaf3e070b83a9cb3cd72cc5639e19bd12247903abd547109a75
- SSDEEP
  
  1536:4Wp4doeVY9nzccb43+o/20t5Yrpq/nvR803E58XK5MhGJ/fYWCJzw8YeEvi7gaF3:rGoxzA3+o/20t5YIvHuImoP0vtuF4q
Score

10^/10

netwire njrat hacked botnet evasion persistence rat stealer trojan
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Installed Components in the registry
  persistence
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirenjrathackedbotnetevasionpersistenceratstealertrojan

behavioral2

netwirenjratbotnetevasionpersistenceratstealertrojan