netwire | 40cbbf504a6af3b5ad0d25cb02f4dc9544596d6978468b708c9f2248953a4e6c | Triage

Submit
Reports

Overview

overview

Static

static

5

47ed26d0a0...18.exe

windows7-x64

47ed26d0a0...18.exe

windows10-2004-x64

Sharing

General

Target

47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118
Size

1.0MB
Sample

241015-p5lzwszbml
MD5

47ed26d0a0f4d8a98d743f23a6e36c22
SHA1

bfa384cb2680435f734eb1913611ebe19231a609
SHA256

40cbbf504a6af3b5ad0d25cb02f4dc9544596d6978468b708c9f2248953a4e6c
SHA512

2c54ccef260bf5dc24a81bfb0de7bc38f1f0308fc62f275ff839713d03e860619a3b491a6d2463b33d341d6a448df0bb3a62738c487c678d4557be496473f401
SSDEEP

24576:VAHnh+eWsN3skA4RV1Hom2KXFmIaYx0tZVO55:Eh+ZkldoPK1XaYxcZVc

Score

10^/10

netwire botnet discovery persistence rat stealer

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe

Resource

win7-20240903-en

netwire botnet discovery persistence rat stealer

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe

Resource

win10v2004-20241007-en

netwire botnet discovery persistence rat stealer

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

95.167.151.235:8973

Attributes

activex_autorun
true
activex_key
{N0R5BAW8-0Q5K-W773-0566-88UJFGBT8MC5}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
true
startup_name
windows
use_mutex
false

Targets

- Target
  
  47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118
- Size
  
  1.0MB
- MD5
  
  47ed26d0a0f4d8a98d743f23a6e36c22
- SHA1
  
  bfa384cb2680435f734eb1913611ebe19231a609
- SHA256
  
  40cbbf504a6af3b5ad0d25cb02f4dc9544596d6978468b708c9f2248953a4e6c
- SHA512
  
  2c54ccef260bf5dc24a81bfb0de7bc38f1f0308fc62f275ff839713d03e860619a3b491a6d2463b33d341d6a448df0bb3a62738c487c678d4557be496473f401
- SSDEEP
  
  24576:VAHnh+eWsN3skA4RV1Hom2KXFmIaYx0tZVO55:Eh+ZkldoPK1XaYxcZVc
Score

10^/10

netwire botnet discovery persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetdiscoverypersistenceratstealer

behavioral2

netwirebotnetdiscoverypersistenceratstealer

© 2018-2025

Terms | Privacy