netwire | 95f8d8c16adefdb4f879873da06d11533ea92aa9847fddeadc06709fd3b40872 | Triage

Submit
Reports

Overview

overview

Static

static

7

scan01930-992001.exe

windows7-x64

scan01930-992001.exe

windows10-2004-x64

Sharing

General

Target

cb64b5195020eb6213e20dff037082de_JaffaCakes118
Size

609KB
Sample

240830-wxjm5axgqe
MD5

cb64b5195020eb6213e20dff037082de
SHA1

d819fa3006db18e9df8681047d5970ffa32bc96c
SHA256

95f8d8c16adefdb4f879873da06d11533ea92aa9847fddeadc06709fd3b40872
SHA512

9b7fb97b925bbb5359d82b74a83eb0330dc4a9cbd559158d9ece176323b39fb3fde8d81171d7f8de847a8613cd1c1950991f2898160ffba3c2b9516662437172
SSDEEP

12288:SXRUn47KARqSpLRRqvGkTq7iezj4lxFy6O8m9FVb/bEm/ICnV1T9tu3:Smn4m4qSpaLoirbG8m9nb/bEm/ICnM

Score

10^/10

netwire botnet discovery persistence rat stealer vmprotect

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

scan01930-992001.exe

Resource

win7-20240705-en

netwire botnet discovery persistence rat stealer vmprotect

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

scan01930-992001.exe

Resource

win10v2004-20240802-en

netwire botnet discovery persistence rat stealer vmprotect

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

info2.myq-see.com:9955

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
TnrNdOUO
offline_keylogger
true
password
ALANKA121
registry_autorun
false
use_mutex
true

Targets

- Target
  
  scan01930-992001.exe
- Size
  
  1020KB
- MD5
  
  ae23e121e59f1ae841460aae3225cb10
- SHA1
  
  a73e588fe247426507b7e1e85f4085076f04e793
- SHA256
  
  def6e8b150b45f247e79f839b075a36d586b232251686dd0a2a4fb25531282ce
- SHA512
  
  0206bbf931b5e840f46524a2ef58596ad5908df57015c0962828b359f3fb9dacca81971c79b41e02a05744689b8b6172d0b4bc139cc4be97422b35678002388c
- SSDEEP
  
  12288:s6LAmjfx4ssrm5UXuq8tIb0CPijYn40Vn2stB/7iyLyb6JXCqBqEdqK:dLbxHszuqV0CS1Oey2b6VzBZd5
Score

10^/10

netwire botnet discovery persistence rat stealer vmprotect
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetdiscoverypersistenceratstealervmprotect

behavioral2

netwirebotnetdiscoverypersistenceratstealervmprotect

© 2018-2025

Terms | Privacy