netwire

General

Target

e37b7bc3f5c907d08209b5e04b4d377d_JaffaCakes118
Size

464KB
Sample

240915-2cfnmavhkh
MD5

e37b7bc3f5c907d08209b5e04b4d377d
SHA1

01c10ff36eb2a6c8efb3a3cb0aa5b025803c174e
SHA256

a409999acdb444dfc27a8832a1d07e1ff9fe4883f46256101957963978c53085
SHA512

4f382e03361b58d4dacb4fb3872cb85752bf705b97e467081d2685fb2a7e5a7a4d8f945579a5398e5850fd3db4c4aeabb56ca7da7d7cee0239b4be8feea83e69
SSDEEP

6144:Kg9Qz+zjKkWo13HQT5tno4tc192I6md18tgD8jJrFZxh/G+kfDc3H/edlilUBZR:79CQjJ3Hkbo4UQI6md1AxLxhU4eHila

Score

10^/10

Malware Config

Extracted

Family

netwire

C2

info1.duckdns.org:1604

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
TrilliumXplt
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
EcSrpKvW
offline_keylogger
true
password
caster123
registry_autorun
false
use_mutex
true

Targets

- Target
  
  e37b7bc3f5c907d08209b5e04b4d377d_JaffaCakes118
- Size
  
  464KB
- MD5
  
  e37b7bc3f5c907d08209b5e04b4d377d
- SHA1
  
  01c10ff36eb2a6c8efb3a3cb0aa5b025803c174e
- SHA256
  
  a409999acdb444dfc27a8832a1d07e1ff9fe4883f46256101957963978c53085
- SHA512
  
  4f382e03361b58d4dacb4fb3872cb85752bf705b97e467081d2685fb2a7e5a7a4d8f945579a5398e5850fd3db4c4aeabb56ca7da7d7cee0239b4be8feea83e69
- SSDEEP
  
  6144:Kg9Qz+zjKkWo13HQT5tno4tc192I6md18tgD8jJrFZxh/G+kfDc3H/edlilUBZR:79CQjJ3Hkbo4UQI6md1AxLxhU4eHila
Score

10^/10

netwire botnet discovery rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

NetWire RAT payload

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2