netwire | 7f4d0810b884d9647d5374550187a123f009ce8f6450d5dab818a2384358fb06 | Triage

Submit
Reports

Overview

overview

Static

static

5

SDA EMV Ch...ws.exe

windows11-21h2-x64

Sharing

General

Target

SDA EMV Chip Writer By Paws.exe
Size

3.8MB
Sample

241119-kdmpwstbnn
MD5

30ee6aaf50e4b4369e0a1634afbcd757
SHA1

b2ee5b9c07098a1058ae9778ad59396b8b8c9878
SHA256

7f4d0810b884d9647d5374550187a123f009ce8f6450d5dab818a2384358fb06
SHA512

bec9661218c6fe09f7c048e4264def14815da93ab258209e3acc2e3e72b5f08aa6f6aea14c24973f2c0abbe3a54f1e820b3f712c8a0d8a8d474d6e19e4b73cec
SSDEEP

98304:tMryTmxddk6tVOfALLIVjnz25r/8XnveOZxho:vKxdBt84Ehur/82iPo

Score

10^/10

netwire botnet discovery persistence rat stealer

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

SDA EMV Chip Writer By Paws.exe

Resource

win11-20241007-en

netwire botnet discovery persistence rat stealer

windows11-21h2-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

local.cable-modem.org:3361

teamviewer.ddns.net:3361

optic.cable-modem.org:3361

teamviewer.ddns.me:3361

logmein.loginto.me:3361

Attributes

activex_autorun
true
activex_key
{FV27BA78-2S2J-Y2KF-44D4-X6XR4251FJEB}
copy_executable
true
delete_original
false
host_id
BTC2020
install_path
%AppData%\instal\crhomeAT64bit.exe
keylogger_dir
%AppData%\0pera\metaolgs.dat\
lock_executable
false
mutex
NLBJEoGj
offline_keylogger
true
password
anjing
registry_autorun
true
startup_name
tvnserver
use_mutex
true

Targets

- Target
  
  SDA EMV Chip Writer By Paws.exe
- Size
  
  3.8MB
- MD5
  
  30ee6aaf50e4b4369e0a1634afbcd757
- SHA1
  
  b2ee5b9c07098a1058ae9778ad59396b8b8c9878
- SHA256
  
  7f4d0810b884d9647d5374550187a123f009ce8f6450d5dab818a2384358fb06
- SHA512
  
  bec9661218c6fe09f7c048e4264def14815da93ab258209e3acc2e3e72b5f08aa6f6aea14c24973f2c0abbe3a54f1e820b3f712c8a0d8a8d474d6e19e4b73cec
- SSDEEP
  
  98304:tMryTmxddk6tVOfALLIVjnz25r/8XnveOZxho:vKxdBt84Ehur/82iPo
Score

10^/10

netwire botnet discovery persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Netwire family
  netwire
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetdiscoverypersistenceratstealer

© 2018-2024

Terms | Privacy