netwire | 9ba0535c61d531c8128acb5431ca8308e9fec809a9098921e6074822ab2302b9 | Triage

Submit
Reports

Overview

overview

Static

static

1

e63df87df2...18.ps1

windows7-x64

e63df87df2...18.ps1

windows10-2004-x64

Sharing

General

Target

e63df87df22bc2302cd69c4235d33540_JaffaCakes118
Size

1.5MB
Sample

240917-hdk5yszapn
MD5

e63df87df22bc2302cd69c4235d33540
SHA1

07c0969da07fb6c81e4d87031e59150d9485639d
SHA256

9ba0535c61d531c8128acb5431ca8308e9fec809a9098921e6074822ab2302b9
SHA512

dcc3e688c99d01113ea73994e01944cac2a4da6ac85821700361db19b8274a73b1e4f0bddf8314061e8e54bd6473646a6bdc06132e3b967fa9833f8f3aa43d57
SSDEEP

24576:Mw2O9/TgwrSUhVPHahmorI0hnvUwLS4A9ifw/vk2+4R:x95cwOI0Zh20fwpBR

Score

10^/10

netwire botnet discovery execution rat stealer

Static task

static1

Behavioral task

behavioral1

Sample

e63df87df22bc2302cd69c4235d33540_JaffaCakes118.ps1

Resource

win7-20240704-en

netwire botnet discovery execution rat stealer

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

e63df87df22bc2302cd69c4235d33540_JaffaCakes118.ps1

Resource

win10v2004-20240802-en

netwire botnet discovery execution rat stealer

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

turnawayfromyourevilways.duckdns.org:5123

turnawayfromyourevilways.duckdns.org:4123

Attributes

activex_autorun
false
copy_executable
false
delete_original
true
host_id
CONNECTION TEST
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
HKBWgTeq
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Targets

- Target
  
  e63df87df22bc2302cd69c4235d33540_JaffaCakes118
- Size
  
  1.5MB
- MD5
  
  e63df87df22bc2302cd69c4235d33540
- SHA1
  
  07c0969da07fb6c81e4d87031e59150d9485639d
- SHA256
  
  9ba0535c61d531c8128acb5431ca8308e9fec809a9098921e6074822ab2302b9
- SHA512
  
  dcc3e688c99d01113ea73994e01944cac2a4da6ac85821700361db19b8274a73b1e4f0bddf8314061e8e54bd6473646a6bdc06132e3b967fa9833f8f3aa43d57
- SSDEEP
  
  24576:Mw2O9/TgwrSUhVPHahmorI0hnvUwLS4A9ifw/vk2+4R:x95cwOI0Zh20fwpBR
Score

10^/10

netwire botnet discovery execution rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetdiscoveryexecutionratstealer

behavioral2

netwirebotnetdiscoveryexecutionratstealer

© 2018-2025

Terms | Privacy