netwire | 9f2d5f8c077dbdbc35cb37aabfa9d63c6bce86443cb1a4fc2a820a6ef9568c6d | Triage

Sharing

General

Target

d8959d67b5ad1af0bd2c8436d8caf1af_JaffaCakes118
Size

367KB
Sample

240910-txc48sthrh
MD5

d8959d67b5ad1af0bd2c8436d8caf1af
SHA1

b5da6b6495219b49f50f0fd68dccf3d0079f206a
SHA256

9f2d5f8c077dbdbc35cb37aabfa9d63c6bce86443cb1a4fc2a820a6ef9568c6d
SHA512

f91c819705846b7b93666376ad485ec97b400acb4aacbf7da83a830e47702184bb3dbdc73e0553e2bd8b99a4b4003512e05864e66e53549ab80bce0410360533
SSDEEP

6144:37YWgp8Jqj3uTE92U1YWgp8Jqj3uTE92UuW6EFvp6/YX5fH1huypYabVY78N7UbE:3UFqY+TEAxFqY+TEAVWJ6QpfPzYab6Qn

Score

10^/10

netwire botnet discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

fada101.servehttp.com:3360

Attributes

activex_autorun
true
activex_key
{ML38R11G-GURP-G731-0R0R-YG3Y3Y2RWAXB}
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
NetWire
use_mutex
false

Targets

- Target
  
  d8959d67b5ad1af0bd2c8436d8caf1af_JaffaCakes118
- Size
  
  367KB
- MD5
  
  d8959d67b5ad1af0bd2c8436d8caf1af
- SHA1
  
  b5da6b6495219b49f50f0fd68dccf3d0079f206a
- SHA256
  
  9f2d5f8c077dbdbc35cb37aabfa9d63c6bce86443cb1a4fc2a820a6ef9568c6d
- SHA512
  
  f91c819705846b7b93666376ad485ec97b400acb4aacbf7da83a830e47702184bb3dbdc73e0553e2bd8b99a4b4003512e05864e66e53549ab80bce0410360533
- SSDEEP
  
  6144:37YWgp8Jqj3uTE92U1YWgp8Jqj3uTE92UuW6EFvp6/YX5fH1huypYabVY78N7UbE:3UFqY+TEAxFqY+TEAVWJ6QpfPzYab6Qn
Score

10^/10

discovery netwire botnet persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

netwirebotnetdiscoverypersistenceratstealer