netwire | 7649b0d5eac5d15692826bcaff2ac11264c87e3aea26ff89e19e280ed3a5806d | Triage

Sharing

General

Target

7649b0d5eac5d15692826bcaff2ac11264c87e3aea26ff89e19e280ed3a5806d.exe
Size

638KB
Sample

241125-jxpsxssqgp
MD5

727d339d4485e05c1cc8764c854eddbf
SHA1

c230be06684e4f27dfaa066c0d3f631232770bb6
SHA256

7649b0d5eac5d15692826bcaff2ac11264c87e3aea26ff89e19e280ed3a5806d
SHA512

f1bd31e1963bc36468f0fde5c50de555e6dba5361585017e9720e249cc8133fdd72a7274928cb7ba8564d0d42d508a008ae0ee220ea9773af98f7f7b4d9c3925
SSDEEP

6144:IbjjGk3F9ELCvfCdgv232mrXLK1UTVMkayZEkcR9eKS+rId:kGkVSLCvu3nXLKoVM0EkcR9BId

Score

10^/10

netwire botnet discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

nightwolf.dyndns-ip.com:2020

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-Wai8Ky
keylogger_dir
C:\Users\Admin\AppData\Roaming\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Targets

- Target
  
  7649b0d5eac5d15692826bcaff2ac11264c87e3aea26ff89e19e280ed3a5806d.exe
- Size
  
  638KB
- MD5
  
  727d339d4485e05c1cc8764c854eddbf
- SHA1
  
  c230be06684e4f27dfaa066c0d3f631232770bb6
- SHA256
  
  7649b0d5eac5d15692826bcaff2ac11264c87e3aea26ff89e19e280ed3a5806d
- SHA512
  
  f1bd31e1963bc36468f0fde5c50de555e6dba5361585017e9720e249cc8133fdd72a7274928cb7ba8564d0d42d508a008ae0ee220ea9773af98f7f7b4d9c3925
- SSDEEP
  
  6144:IbjjGk3F9ELCvfCdgv232mrXLK1UTVMkayZEkcR9eKS+rId:kGkVSLCvu3nXLKoVM0EkcR9BId
Score

10^/10

netwire botnet discovery persistence rat stealer
- Modifies WinLogon for persistence
  persistence
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Netwire family
  netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetdiscoverypersistenceratstealer

behavioral2

netwirebotnetdiscoverypersistenceratstealer