netwire | 8e7b8582e8b53563ec38888812b143e38e7c84316691e35614a441ffbf3e7540 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

bd8d12dcc3...18.exe

windows7-x64

bd8d12dcc3...18.exe

windows10-2004-x64

Sharing

General

Target

bd8d12dcc31a003ee9169088061dfea8_JaffaCakes118
Size

153KB
Sample

240823-3cf5tsshpf
MD5

bd8d12dcc31a003ee9169088061dfea8
SHA1

636dfcdf7a48d84241be6bb463711a6931eebed3
SHA256

8e7b8582e8b53563ec38888812b143e38e7c84316691e35614a441ffbf3e7540
SHA512

6402e08fb22027df5d7c84ed55dbb1cd648d68c730ae12b355db10a9e25adc4b9e0e14ea88e7182f0b3d2aece65f3d19c1fa894b8667507298c573084c760122
SSDEEP

3072:vlhTufPd5UeZI+46kernNhbvB7qmv5Y+jGIAhpvRG:vlMfPTemrXbJ7qI5Y9J5R

Score

10^/10

netwire botnet discovery persistence rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

bd8d12dcc31a003ee9169088061dfea8_JaffaCakes118.exe

Resource

win7-20240705-en

netwire botnet discovery persistence rat stealer

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

bd8d12dcc31a003ee9169088061dfea8_JaffaCakes118.exe

Resource

win10v2004-20240802-en

netwire botnet discovery persistence rat stealer

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

127.0.0.1:3360

191.96.249.27:3360

Attributes

activex_autorun
false
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Install\mswiner.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
mFTprBPl
offline_keylogger
true
password
1234
registry_autorun
true
startup_name
mswiner
use_mutex
true

Targets

- Target
  
  bd8d12dcc31a003ee9169088061dfea8_JaffaCakes118
- Size
  
  153KB
- MD5
  
  bd8d12dcc31a003ee9169088061dfea8
- SHA1
  
  636dfcdf7a48d84241be6bb463711a6931eebed3
- SHA256
  
  8e7b8582e8b53563ec38888812b143e38e7c84316691e35614a441ffbf3e7540
- SHA512
  
  6402e08fb22027df5d7c84ed55dbb1cd648d68c730ae12b355db10a9e25adc4b9e0e14ea88e7182f0b3d2aece65f3d19c1fa894b8667507298c573084c760122
- SSDEEP
  
  3072:vlhTufPd5UeZI+46kernNhbvB7qmv5Y+jGIAhpvRG:vlMfPTemrXbJ7qI5Y9J5R
Score

10^/10

netwire botnet discovery persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetdiscoverypersistenceratstealer

behavioral2

netwirebotnetdiscoverypersistenceratstealer

© 2018-2025

Terms | Privacy