netwire

Sharing

Copy URL

Twitter E-mail

General

Target

333e76fb70bd934d7360c555ac40a370N.exe
Size

188KB
Sample

240829-p91zlssgjd
MD5

333e76fb70bd934d7360c555ac40a370
SHA1

3dbd4e9ecf56efc70515746b51af447191e32239
SHA256

f59268ac976b85521c5e2279d14f57a8d6b3926d710b1853963db0cbd6c4d3c2
SHA512

7e8b9f101b9fa326ea68519da2991d1717a968d7ed46418efe331d1c4067d10edaec7746a2158c749276e1c8fbfe926500342037e74fbab4e3a4a711af0a77a5
SSDEEP

3072:o030XCIscLlj+cM45KzxKwrKdvZz+7DzVX4++RC7AUBTBqzqdTFzILwrK:oje/NGv1+T2PDUCmdTFzIc

Score

10^/10

Malware Config

Extracted

Family

netwire

127.0.0.1:3380

manpower123.sytes.net:3380

Attributes

activex_autorun
true
activex_key
{SU60632U-NH5E-B175-1B86-J7K6RBN22VI8}
copy_executable
true
delete_original
true
host_id
ID1
install_path
%AppData%\Install\1day
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
cPSdeemG
offline_keylogger
true
password
c5dcq70o
registry_autorun
true
startup_name
Java
use_mutex
true

Targets

- Target
  
  333e76fb70bd934d7360c555ac40a370N.exe
- Size
  
  188KB
- MD5
  
  333e76fb70bd934d7360c555ac40a370
- SHA1
  
  3dbd4e9ecf56efc70515746b51af447191e32239
- SHA256
  
  f59268ac976b85521c5e2279d14f57a8d6b3926d710b1853963db0cbd6c4d3c2
- SHA512
  
  7e8b9f101b9fa326ea68519da2991d1717a968d7ed46418efe331d1c4067d10edaec7746a2158c749276e1c8fbfe926500342037e74fbab4e3a4a711af0a77a5
- SSDEEP
  
  3072:o030XCIscLlj+cM45KzxKwrKdvZz+7DzVX4++RC7AUBTBqzqdTFzILwrK:oje/NGv1+T2PDUCmdTFzIc
Score

10^/10

netwire botnet discovery persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/LangDLL.dll
- Size
  
  5KB
- MD5
  
  ea60c7bd5edd6048601729bd31362c16
- SHA1
  
  6e6919d969eb61a141595014395b6c3f44139073
- SHA256
  
  4e72c8b4d36f128b25281440e59e39af7ec2080d02e024f35ac413d769d91f39
- SHA512
  
  f9dc35220697153bb06e3a06caf645079881cb75aed008dbe5381ecaf3442d5be03500b36bbca8b3d114845fac3d667ddf4063c16bc35d29bbea862930939993
- SSDEEP
  
  48:im1nEhqneMPUptuMMNvimk2BAZuMTRCpYEvJdUJvR0J6of5dwe:F1jpl9NLBAZuYtR0xd
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  55a26d7800446f1373056064c64c3ce8
- SHA1
  
  80256857e9a0a9c8897923b717f3435295a76002
- SHA256
  
  904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
- SHA512
  
  04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b
- SSDEEP
  
  192:MPtkumJX7zBE2kGwfy9S9VkPsFQ1Mx1c:97O2k5q9wA1Mxa
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/nsDialogs.dll
- Size
  
  9KB
- MD5
  
  ee449b0adce56fbfa433b0239f3f81be
- SHA1
  
  ec1e4f9815ea592a3f19b1fe473329b8ddfa201c
- SHA256
  
  c1cc3aa4326e83a73a778dee0cf9afcc03a6bafb0a32cea791a27eb9c2288985
- SHA512
  
  22fb25bc7628946213e6e970a865d3fbd50d12ce559c37d6848a82c28fa6be09fedffc3b87d5aea8dcfe8dfc4e0f129d9f02e32dae764b8e6a08332b42386686
- SSDEEP
  
  96:oCqZ4zC5RH3cXX1LlYlRowycxM2DjDf3GEst+Nt+jvDYx4iqndYHnxss:oCq+CP3uKrpyREs06Yx+dGn
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  Uninstall.exe
- Size
  
  57KB
- MD5
  
  8d67546632276e864ed86f26919d8e0e
- SHA1
  
  77ba03a00c7229618ef86fde09e83125a67f7578
- SHA256
  
  4dc37f2bb5ad34df5da0aa71d7938ce3638ef63e278ea117115371acc1fa7614
- SHA512
  
  3168b58ff1d10a79f64983889e6401fc7611161f1b79f22d77b81a8b8bce8f473169389daf323f00367147b88a8c9901bfeaf022f3527f9c759673743a20cde9
- SSDEEP
  
  1536:o02Wf0K2CImbrBwiALljslcUgdLeAyNxdxVpl2LCOKm:o030XCIscLlj+cUceAY/wrKm
Score

7^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
behavioral10 behavioral9
- Target
  
  $PLUGINSDIR/LangDLL.dll
- Size
  
  5KB
- MD5
  
  ea60c7bd5edd6048601729bd31362c16
- SHA1
  
  6e6919d969eb61a141595014395b6c3f44139073
- SHA256
  
  4e72c8b4d36f128b25281440e59e39af7ec2080d02e024f35ac413d769d91f39
- SHA512
  
  f9dc35220697153bb06e3a06caf645079881cb75aed008dbe5381ecaf3442d5be03500b36bbca8b3d114845fac3d667ddf4063c16bc35d29bbea862930939993
- SSDEEP
  
  48:im1nEhqneMPUptuMMNvimk2BAZuMTRCpYEvJdUJvR0J6of5dwe:F1jpl9NLBAZuYtR0xd
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  55a26d7800446f1373056064c64c3ce8
- SHA1
  
  80256857e9a0a9c8897923b717f3435295a76002
- SHA256
  
  904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
- SHA512
  
  04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b
- SSDEEP
  
  192:MPtkumJX7zBE2kGwfy9S9VkPsFQ1Mx1c:97O2k5q9wA1Mxa
Score

3^/10

discovery
behavioral13 behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

NetWire RAT payload

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14