netwire | e13b4c9650eb2f690fb8348ef33cf84539cf8aabc46be50224875224038f66fc | Triage

Submit
Reports

Overview

overview

Static

static

3

Skan Potwi...DF.exe

windows7-x64

Skan Potwi...DF.exe

windows10-2004-x64

Sharing

General

Target

ad205ce75286dc2a81ad18357e0ddcfe_JaffaCakes118
Size

89KB
Sample

240615-gynada1arh
MD5

ad205ce75286dc2a81ad18357e0ddcfe
SHA1

1234979825dfeff32a98856af736bba0aa8db1fb
SHA256

e13b4c9650eb2f690fb8348ef33cf84539cf8aabc46be50224875224038f66fc
SHA512

cdb36cb99e4be786a9e2694d56073c2da35d71cb5ba35ef7305a3a14a2ecefa211cc4dd4a2f24d420ba79cbe92cd6aff74e69604e5e0e0ec4bcb7147623d2a3a
SSDEEP

1536:KGtV+1gz4UnJLW4ix+9RJQH35bmwqgjQetXsndVpQo5vUXu/MvhndHhz1:KGLAggZz5iwqwqdV2ocRthz1

Score

10^/10

netwire botnet persistence rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Skan Potwierdzenia.PDF.exe

Resource

win7-20240508-en

netwire botnet persistence rat stealer

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

Skan Potwierdzenia.PDF.exe

Resource

win10v2004-20240611-en

netwire botnet persistence rat stealer

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

213.152.162.165:8747

109.202.107.15:8747

213.152.161.117:8747

213.152.161.229:8747

213.152.161.181:8747

37.233.101.73:5555

213.152.162.165:8733

213.152.161.117:8733

213.152.161.229:8733

213.152.161.165:8733

213.152.161.181:8733

Attributes

activex_autorun
true
activex_key
{N2P3036X-0CS1-AM05-7POW-541S3F314Q84}
copy_executable
true
delete_original
true
host_id
03.23
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
vvvbljPv
offline_keylogger
true
password
Mojekurwajebaneboty666
registry_autorun
true
startup_name
sys
use_mutex
true

Targets

- Target
  
  Skan Potwierdzenia.PDF.exe
- Size
  
  128KB
- MD5
  
  14395ac904015c1ca1ccb42df80a1859
- SHA1
  
  781bcb5596fbcdaaa998ab77b4621c1000393fbd
- SHA256
  
  0c141c1fe62782cb78e70d7c57a7b7d07b26a93ee058d271ff7f2fe4c04bfef3
- SHA512
  
  a8a7c54725c7803ee4da2d7afcbdf52de21faa1567fa46545c4b3b20c4909d110fa7ee356a84d53554660ea32bdde7f7108b6071c7121c9c7ee9a6275cdd8274
- SSDEEP
  
  3072:AsiXMqGmeABs/iOQlQF0fZyq/pRPFQrQKO854:BiRGzDB8MEptaO24
Score

10^/10

netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Modifies Installed Components in the registry
  persistence
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetpersistenceratstealer

behavioral2

netwirebotnetpersistenceratstealer

© 2018-2025

Terms | Privacy