netwire | c13396208695404bbaf69216c425a260848a2386d27ecf370258d5adf3fd491a | Triage

Submit
Reports

Overview

overview

Static

static

7d4a5b193b...0N.exe

windows7-x64

7d4a5b193b...0N.exe

windows10-2004-x64

Sharing

General

Target

7d4a5b193b42dd0fd5600b77ff9c8510N
Size

1.4MB
Sample

240826-sagcps1cpr
MD5

7d4a5b193b42dd0fd5600b77ff9c8510
SHA1

75f4fb3ca9cef796f2745099f6035c94d1bf3304
SHA256

c13396208695404bbaf69216c425a260848a2386d27ecf370258d5adf3fd491a
SHA512

8407b10521273824f32e6221b6c44597440118d89c828fcfe992a918f97352ef5e83a42c4861e99641f18c221503185a4286db3272bd6a1cdbf563f8f6989159
SSDEEP

24576:ru6J3xO0c+JY5UZ+XCHkGso6Fa720W4njUprvVcC1f2o5RRfgdWYf:Fo0c++OCokGs9Fa+rd1f26RNYf

Score

10^/10

netwire warzonerat botnet discovery infostealer rat stealer

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

7d4a5b193b42dd0fd5600b77ff9c8510N.exe

Resource

win7-20240705-en

netwire warzonerat botnet discovery infostealer rat stealer

windows7-x64

12 signatures

120 seconds

Behavioral task

behavioral2

Sample

7d4a5b193b42dd0fd5600b77ff9c8510N.exe

Resource

win10v2004-20240802-en

netwire warzonerat botnet discovery infostealer rat stealer

windows10-2004-x64

12 signatures

120 seconds

Malware Config

Extracted

Family

netwire

C2

Wealthy2019.com.strangled.net:20190

wealthyme.ddns.net:20190

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
sunshineslisa
install_path
%AppData%\Imgburn\Host.exe
keylogger_dir
%AppData%\Logs\Imgburn\
lock_executable
false
offline_keylogger
true
password
sucess
registry_autorun
false
use_mutex
false

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Targets

- Target
  
  7d4a5b193b42dd0fd5600b77ff9c8510N
- Size
  
  1.4MB
- MD5
  
  7d4a5b193b42dd0fd5600b77ff9c8510
- SHA1
  
  75f4fb3ca9cef796f2745099f6035c94d1bf3304
- SHA256
  
  c13396208695404bbaf69216c425a260848a2386d27ecf370258d5adf3fd491a
- SHA512
  
  8407b10521273824f32e6221b6c44597440118d89c828fcfe992a918f97352ef5e83a42c4861e99641f18c221503185a4286db3272bd6a1cdbf563f8f6989159
- SSDEEP
  
  24576:ru6J3xO0c+JY5UZ+XCHkGso6Fa720W4njUprvVcC1f2o5RRfgdWYf:Fo0c++OCokGs9Fa+rd1f26RNYf
Score

10^/10

netwire warzonerat botnet discovery infostealer rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirewarzoneratbotnetdiscoveryinfostealerratstealer

behavioral2

netwirewarzoneratbotnetdiscoveryinfostealerratstealer

© 2018-2025

Terms | Privacy