netwire | fded53333cec659b61638d4b642ab3a150620b62bd1843ba142a419c168f452d | Triage

Submit
Reports

Overview

overview

Static

static

3

bf4913db1a...18.exe

windows7-x64

bf4913db1a...18.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

bf4913db1ad39960c2d34de82376ced1_JaffaCakes118
Size

594KB
Sample

240824-yhg7vswcpc
MD5

bf4913db1ad39960c2d34de82376ced1
SHA1

e0cf8a8c913421172f7b5675323cc85557d3d102
SHA256

fded53333cec659b61638d4b642ab3a150620b62bd1843ba142a419c168f452d
SHA512

6670050cb893abf80dacce1daf88f0571e031789390d1fdbfca51f4fa95690c7df8d8e2531cdc6288522fd43b6f0e89be66dc5ea51a5de527921b7254bbe2464
SSDEEP

12288:hoAECX/p6U/Kdo7h+DZW8nh4GlPYQJS0omrN59XM7OHgv6nfcWp:ECX/p6US678lTnh4Ag70owNPYOHgv6nf

Score

10^/10

netwire botnet discovery persistence rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

bf4913db1ad39960c2d34de82376ced1_JaffaCakes118.exe

Resource

win7-20240708-en

netwire botnet discovery persistence rat stealer

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

bf4913db1ad39960c2d34de82376ced1_JaffaCakes118.exe

Resource

win10v2004-20240802-en

netwire botnet discovery persistence rat stealer

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

213.183.58.12:1555

Attributes

activex_autorun
false
copy_executable
true
delete_original
true
host_id
suchfamily
install_path
%Temp%\SKYPE.exe
keylogger_dir
%Temp%\Logs\
lock_executable
false
mutex
CBNlDpBK
offline_keylogger
true
password
Hkoco,~E$)
registry_autorun
true
startup_name
SKYPE
use_mutex
true

Targets

- Target
  
  bf4913db1ad39960c2d34de82376ced1_JaffaCakes118
- Size
  
  594KB
- MD5
  
  bf4913db1ad39960c2d34de82376ced1
- SHA1
  
  e0cf8a8c913421172f7b5675323cc85557d3d102
- SHA256
  
  fded53333cec659b61638d4b642ab3a150620b62bd1843ba142a419c168f452d
- SHA512
  
  6670050cb893abf80dacce1daf88f0571e031789390d1fdbfca51f4fa95690c7df8d8e2531cdc6288522fd43b6f0e89be66dc5ea51a5de527921b7254bbe2464
- SSDEEP
  
  12288:hoAECX/p6U/Kdo7h+DZW8nh4GlPYQJS0omrN59XM7OHgv6nfcWp:ECX/p6US678lTnh4Ag70owNPYOHgv6nf
Score

10^/10

netwire botnet discovery persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetdiscoverypersistenceratstealer

behavioral2

netwirebotnetdiscoverypersistenceratstealer

© 2018-2025

Terms | Privacy