netwire | ca9febc756389fc99c2977236e8fca8b7787c11d8def8c2551ddd7fa73451b24 | Triage

Submit
Reports

Overview

overview

Static

static

5

SWIFT_Lloy...DF.exe

windows7-x64

SWIFT_Lloy...DF.exe

windows10-2004-x64

Sharing

General

Target

a70e2a6eeb4ccf7799d0411d5553f907_JaffaCakes118
Size

771KB
Sample

240818-r28qlaybph
MD5

a70e2a6eeb4ccf7799d0411d5553f907
SHA1

5c6da3e8b7883db4d7398fff29bbe16923feaa13
SHA256

ca9febc756389fc99c2977236e8fca8b7787c11d8def8c2551ddd7fa73451b24
SHA512

00d00fce85833e7681ba61b25634af616a5e7f72638d46db63df9d7dc7719f1148aa8f3b6c8ac810a79240d68d34ca4ba8ecb0ba9cc311246f712d1d8a9fdaf8
SSDEEP

12288:Ve0e/j023g1H+e8/yM2okVGHORYZapIIXLRMbk/eMSAW3+jNM6Nk8wXK8Pi0w7FJ:Y0tsqWNkEHCppNMVj3Qk8wXKQ3cx2ZMd

Score

10^/10

netwire botnet discovery persistence rat stealer

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe

Resource

win7-20240705-en

netwire botnet discovery persistence rat stealer

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe

Resource

win10v2004-20240802-en

netwire botnet discovery persistence rat stealer

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

lecanoffice.dynu.net:2202

Attributes

activex_autorun
true
activex_key
{5GNR66Y3-78Y4-PMYQ-E1H8-05IS5JYJRW17}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
lolkFUKd
offline_keylogger
true
password
gfffffytt
registry_autorun
true
startup_name
image
use_mutex
true

Targets

- Target
  
  SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
- Size
  
  1.3MB
- MD5
  
  ced3d9cf743d3b0f37bbd5bfef4e3e8b
- SHA1
  
  b0ae983b4971573ec25c993fb3c2ac2baeb0ba8b
- SHA256
  
  b2d0f86886d771c347e71081e9e46bfe8f4b533e6d354f9defd2c745741a6fa5
- SHA512
  
  49fc19909760f56331cf602fae889d854c22024ec837070dd642596e9fba8c3cf3f72c806874ed3c38092b29f3b74f0ec4a8d8b04cedda6547c9b4bd5663b4ac
- SSDEEP
  
  24576:EAHnh+eWsN3skA4RV1Hom2KXMmHabGAtm/2zPAHpjeCF85:Th+ZkldoPK8Ya/zYJa
Score

10^/10

netwire botnet discovery persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetdiscoverypersistenceratstealer

behavioral2

netwirebotnetdiscoverypersistenceratstealer

© 2018-2025

Terms | Privacy