netwire | 507e3fe13e1cf3f67437eb9f895b647972127060c42521dfd93a63f32e6613cd | Triage

Sharing

General

Target

6cbbc14281cc1a523768e08fdf560ca5_JaffaCakes118
Size

444KB
Sample

240724-zn449aweqn
MD5

6cbbc14281cc1a523768e08fdf560ca5
SHA1

2f7500d8ac1daac3a01db854ab3290a60bab0da7
SHA256

507e3fe13e1cf3f67437eb9f895b647972127060c42521dfd93a63f32e6613cd
SHA512

3564c9f57e31f7b5d349d925f11835567ea90aab47a78850f23c397d5bb902325a0502a972923eee5fc6af736b6e9f309bffdfa9e8e7f382e3f40459ce994829
SSDEEP

6144:k1lcF4A2Dwx13Vi7ACOmnjC/+80k/4CLzzFuuuTH7Mcs1l:k1GFfDx13V/hmjC6I4nHs1

Score

10^/10

netwire botnet discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

sidney414.ddns.net:3360

Attributes

activex_autorun
true
activex_key
{HLRSYIV2-UPR1-G7GV-UHX0-4EWC16NR0VT4}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Isati\Isati.exe
keylogger_dir
%AppData%\Isati\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
WDBNMBYSBNB
use_mutex
false

Targets

- Target
  
  6cbbc14281cc1a523768e08fdf560ca5_JaffaCakes118
- Size
  
  444KB
- MD5
  
  6cbbc14281cc1a523768e08fdf560ca5
- SHA1
  
  2f7500d8ac1daac3a01db854ab3290a60bab0da7
- SHA256
  
  507e3fe13e1cf3f67437eb9f895b647972127060c42521dfd93a63f32e6613cd
- SHA512
  
  3564c9f57e31f7b5d349d925f11835567ea90aab47a78850f23c397d5bb902325a0502a972923eee5fc6af736b6e9f309bffdfa9e8e7f382e3f40459ce994829
- SSDEEP
  
  6144:k1lcF4A2Dwx13Vi7ACOmnjC/+80k/4CLzzFuuuTH7Mcs1l:k1GFfDx13V/hmjC6I4nHs1
Score

10^/10

netwire botnet discovery persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetdiscoverypersistenceratstealer

behavioral2