netwire | f5da759038e0c82740e3a588288a27cc6189e9f634a7950bca73554f59bc51ad | Triage

Sharing

General

Target

f5da759038e0c82740e3a588288a27cc6189e9f634a7950bca73554f59bc51adN.exe
Size

638KB
Sample

241127-jt8rma1pek
MD5

4abb761d7e191cb014ebceb18733f370
SHA1

3c627257f7de83f32b21afa194f4cf294c3f3cb8
SHA256

f5da759038e0c82740e3a588288a27cc6189e9f634a7950bca73554f59bc51ad
SHA512

54732778c642efc962710b5bdba309b706dd2dac7e6fcbdf1f3698c12ebff6ae7afdb19b3d2cf94e6ba7eb7be4a16b9a4ffffab879958b4c5dd4ff6da718bc60
SSDEEP

6144:IbjjGk3F9ELCvfCdgv232mrXLK1UTVMkayZEkcR9eKS+rI:kGkVSLCvu3nXLKoVM0EkcR9BI

Score

10^/10

netwire botnet discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

nightwolf.dyndns-ip.com:2020

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-MgqmO0
keylogger_dir
C:\Users\Admin\AppData\Roaming\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Targets

- Target
  
  f5da759038e0c82740e3a588288a27cc6189e9f634a7950bca73554f59bc51adN.exe
- Size
  
  638KB
- MD5
  
  4abb761d7e191cb014ebceb18733f370
- SHA1
  
  3c627257f7de83f32b21afa194f4cf294c3f3cb8
- SHA256
  
  f5da759038e0c82740e3a588288a27cc6189e9f634a7950bca73554f59bc51ad
- SHA512
  
  54732778c642efc962710b5bdba309b706dd2dac7e6fcbdf1f3698c12ebff6ae7afdb19b3d2cf94e6ba7eb7be4a16b9a4ffffab879958b4c5dd4ff6da718bc60
- SSDEEP
  
  6144:IbjjGk3F9ELCvfCdgv232mrXLK1UTVMkayZEkcR9eKS+rI:kGkVSLCvu3nXLKoVM0EkcR9BI
Score

10^/10

netwire botnet discovery persistence rat stealer
- Modifies WinLogon for persistence
  persistence
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Netwire family
  netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetdiscoverypersistenceratstealer

behavioral2

netwirebotnetdiscoverypersistenceratstealer