netwire | 878d2d7e6bc21b888be0c88716d0457fbb224f3d27263be509180aaf8aa4f611 | Triage

Submit
Reports

Overview

overview

Static

static

7

3b41fb9385...0N.exe

windows7-x64

3b41fb9385...0N.exe

windows10-2004-x64

Sharing

General

Target

3b41fb9385c0ac13fc08f3fda2098ac0N.exe
Size

118KB
Sample

240830-hhqagasdnm
MD5

3b41fb9385c0ac13fc08f3fda2098ac0
SHA1

979c54b5e2d8afec33bc69ffb7a35a81a14264c8
SHA256

878d2d7e6bc21b888be0c88716d0457fbb224f3d27263be509180aaf8aa4f611
SHA512

d54d1109c7689c2867d4c8bb41667005717c36404e094316f9dc35a7810561867588d10f5da303656e087e76de5e0f9996b47c24f6f1b2e8128d36bb5ae280e8
SSDEEP

3072:M+z7JXnrdFzp886+RMPy5fWMwdWRgjnahKoutjKI7ehMx:rz75nrz286+RMaLVRgjahKoS

Score

10^/10

netwire botnet discovery persistence rat stealer upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

3b41fb9385c0ac13fc08f3fda2098ac0N.exe

Resource

win7-20240729-en

netwire botnet discovery rat stealer upx

windows7-x64

13 signatures

120 seconds

Behavioral task

behavioral2

Sample

3b41fb9385c0ac13fc08f3fda2098ac0N.exe

Resource

win10v2004-20240802-en

netwire botnet discovery persistence rat stealer upx

windows10-2004-x64

16 signatures

120 seconds

Malware Config

Extracted

Family

netwire

C2

imemerit.servehttp.com:3360

Attributes

activex_autorun
true
activex_key
{I78G8V27-88UF-2L1T-8064-2S8723OVASE8}
copy_executable
false
delete_original
true
host_id
HostId-%Rand%
keylogger_dir
C:\Users\Admin\AppData\Roaming\Logs\
lock_executable
false
mutex
TIrKHSHH
offline_keylogger
true
password
`+8n0x<gT)\"Lu5"'A`c?$H="
registry_autorun
true
startup_name
FirstRowAli
use_mutex
true

Targets

- Target
  
  3b41fb9385c0ac13fc08f3fda2098ac0N.exe
- Size
  
  118KB
- MD5
  
  3b41fb9385c0ac13fc08f3fda2098ac0
- SHA1
  
  979c54b5e2d8afec33bc69ffb7a35a81a14264c8
- SHA256
  
  878d2d7e6bc21b888be0c88716d0457fbb224f3d27263be509180aaf8aa4f611
- SHA512
  
  d54d1109c7689c2867d4c8bb41667005717c36404e094316f9dc35a7810561867588d10f5da303656e087e76de5e0f9996b47c24f6f1b2e8128d36bb5ae280e8
- SSDEEP
  
  3072:M+z7JXnrdFzp886+RMPy5fWMwdWRgjnahKoutjKI7ehMx:rz75nrz286+RMaLVRgjahKoS
Score

10^/10

netwire botnet discovery rat stealer upx persistence
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetdiscoveryratstealerupx

behavioral2

netwirebotnetdiscoverypersistenceratstealerupx

© 2018-2025

Terms | Privacy