netwire | d9a5c16a13ec68f0548a6db05db2439d6296b4704c6ee480aa0d659f77d04f4d | Triage

Sharing

General

Target

3c8aa9482e04955247407008a9a58de4_JaffaCakes118
Size

534KB
Sample

241012-28pw6swhna
MD5

3c8aa9482e04955247407008a9a58de4
SHA1

2a8c593fffc721c68511d2667fe5f02e4da78f1e
SHA256

d9a5c16a13ec68f0548a6db05db2439d6296b4704c6ee480aa0d659f77d04f4d
SHA512

afd17edd4fe4d93a31acbb8e9ae67311e33e30408c77ce4f5316414376d1500078e092538a03d5f13fea725e17daa4642cb30a78f4a80045bafd769daf8cc735
SSDEEP

12288:aH/9cLouxk5R7hNeqVIVZ7uDQMhAVb7YrK0L6YA:af9Uo4k5NhNfcZKDkbk

Score

10^/10

netwire botnet discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

mikebaur.ddns.net:3361

Attributes

activex_autorun
true
activex_key
{6388V52T-OO22-RNFN-00O6-B48721FMJK8H}
copy_executable
false
delete_original
true
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
NetWire
use_mutex
false

Targets

- Target
  
  3c8aa9482e04955247407008a9a58de4_JaffaCakes118
- Size
  
  534KB
- MD5
  
  3c8aa9482e04955247407008a9a58de4
- SHA1
  
  2a8c593fffc721c68511d2667fe5f02e4da78f1e
- SHA256
  
  d9a5c16a13ec68f0548a6db05db2439d6296b4704c6ee480aa0d659f77d04f4d
- SHA512
  
  afd17edd4fe4d93a31acbb8e9ae67311e33e30408c77ce4f5316414376d1500078e092538a03d5f13fea725e17daa4642cb30a78f4a80045bafd769daf8cc735
- SSDEEP
  
  12288:aH/9cLouxk5R7hNeqVIVZ7uDQMhAVb7YrK0L6YA:af9Uo4k5NhNfcZKDkbk
Score

10^/10

netwire botnet discovery persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetdiscoverypersistenceratstealer

behavioral2

netwirebotnetdiscoverypersistenceratstealer