netwire | 5f53d622de7b361b2558cfeb85082b23d04f15fcf0127e9fb92f9a2c72e51584 | Triage

Submit
Reports

Overview

overview

Static

static

5

9de09cb16f...18.exe

windows7-x64

9de09cb16f...18.exe

windows10-2004-x64

Sharing

General

Target

9de09cb16f81a09ea20cae8122c2bbc4_JaffaCakes118
Size

1.1MB
Sample

241125-zt734asqbj
MD5

9de09cb16f81a09ea20cae8122c2bbc4
SHA1

05f5524b4ff9def02f9f1b2159ded220f643ced2
SHA256

5f53d622de7b361b2558cfeb85082b23d04f15fcf0127e9fb92f9a2c72e51584
SHA512

c3def7bdf16c6d2fe0571fd17d04fb3ee7ea74eaebe7d57bde1098ad896b63fa96bd9de2c4b8e7818a24f8454388d629c3c30c996e80490142f9296a4426a67b
SSDEEP

24576:XRqT31q2wlFJZb1WYPh6CXuAtZYwyneZO:BA31klFJTP8GuAtZryoO

Score

10^/10

netwire botnet discovery persistence rat stealer upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

9de09cb16f81a09ea20cae8122c2bbc4_JaffaCakes118.exe

Resource

win7-20240903-en

netwire botnet discovery persistence rat stealer upx

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

9de09cb16f81a09ea20cae8122c2bbc4_JaffaCakes118.exe

Resource

win10v2004-20241007-en

netwire botnet discovery persistence rat stealer upx

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

akamai-update.no-ip.org:33333

Attributes

activex_autorun
true
activex_key
{E7VK76V1-8E7Y-I53I-ET41-C8H4828ISX31}
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Akamai Labs\akmupdate.exe
lock_executable
false
mutex
VesHwCJR
offline_keylogger
false
password
Password
registry_autorun
true
startup_name
Akamai Labs
use_mutex
true

Targets

- Target
  
  9de09cb16f81a09ea20cae8122c2bbc4_JaffaCakes118
- Size
  
  1.1MB
- MD5
  
  9de09cb16f81a09ea20cae8122c2bbc4
- SHA1
  
  05f5524b4ff9def02f9f1b2159ded220f643ced2
- SHA256
  
  5f53d622de7b361b2558cfeb85082b23d04f15fcf0127e9fb92f9a2c72e51584
- SHA512
  
  c3def7bdf16c6d2fe0571fd17d04fb3ee7ea74eaebe7d57bde1098ad896b63fa96bd9de2c4b8e7818a24f8454388d629c3c30c996e80490142f9296a4426a67b
- SSDEEP
  
  24576:XRqT31q2wlFJZb1WYPh6CXuAtZYwyneZO:BA31klFJTP8GuAtZryoO
Score

10^/10

netwire botnet discovery persistence rat stealer upx
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Netwire family
  netwire
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetdiscoverypersistenceratstealerupx

behavioral2

netwirebotnetdiscoverypersistenceratstealerupx

© 2018-2025

Terms | Privacy