netwire | cb278352cefad39d6e0d5ddcbd7b113b1abf6d27fb525d4ab3a79606bef98914 | Triage

Sharing

General

Target

cb8f3646b1f9120e39b0df7736813817_JaffaCakes118
Size

334KB
Sample

240830-ypeqbasdqc
MD5

cb8f3646b1f9120e39b0df7736813817
SHA1

820903daca2aba6c68d188e39036e75188f9aaf6
SHA256

cb278352cefad39d6e0d5ddcbd7b113b1abf6d27fb525d4ab3a79606bef98914
SHA512

868996c0ef7b7fc58cc6502cbf018e6b44f5f2c7d3d2bb8fcbdca21d1cf63b4f58cfc4269c0c6abeec706e6f2e9b4a660c2df63b5f4116dbd639bfe2dc421e50
SSDEEP

6144:KVfPNS/+PNS/fWeymcbBsri3iLNiA1tq4ZKMwuyMS9a:AfPPPWyFgAid1Yowbv

Score

10^/10

netwire botnet discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

194.68.59.48:3369

194.68.59.48:3367

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Frank101
registry_autorun
false
use_mutex
false

Targets

- Target
  
  cb8f3646b1f9120e39b0df7736813817_JaffaCakes118
- Size
  
  334KB
- MD5
  
  cb8f3646b1f9120e39b0df7736813817
- SHA1
  
  820903daca2aba6c68d188e39036e75188f9aaf6
- SHA256
  
  cb278352cefad39d6e0d5ddcbd7b113b1abf6d27fb525d4ab3a79606bef98914
- SHA512
  
  868996c0ef7b7fc58cc6502cbf018e6b44f5f2c7d3d2bb8fcbdca21d1cf63b4f58cfc4269c0c6abeec706e6f2e9b4a660c2df63b5f4116dbd639bfe2dc421e50
- SSDEEP
  
  6144:KVfPNS/+PNS/fWeymcbBsri3iLNiA1tq4ZKMwuyMS9a:AfPPPWyFgAid1Yowbv
Score

10^/10

netwire botnet discovery persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetdiscoverypersistenceratstealer

behavioral2

netwirebotnetdiscoverypersistenceratstealer