netwire | 0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225 | Triage

Submit
Reports

Overview

overview

Static

static

5

0f0f8700da...25.exe

windows7-x64

0f0f8700da...25.exe

windows10-2004-x64

Sharing

General

Target

0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225
Size

118KB
Sample

241215-x99whswlfk
MD5

c2f29e7622b41f880b6bda678e7a5584
SHA1

42713213d71d7b8c57e3c79798ce6b99e41889e8
SHA256

0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225
SHA512

7177a3632486db69854dff5342e1a10258cabdbfe6077337d734a170cdee1a3f00c65c8f47e45bc26aef7f28c53874f760ec345d1ecbbdfe8d33f8d5b629600b
SSDEEP

3072:++z7JXnrdFzp886+RMPy5fWMwdWRgjnahKoutjKI7ehMx:Jz75nrz286+RMaLVRgjahKoS

Score

10^/10

netwire botnet discovery persistence rat stealer upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe

Resource

win7-20240903-en

netwire botnet discovery persistence rat stealer upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe

Resource

win10v2004-20241007-en

netwire botnet discovery persistence rat stealer upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

imemerit.servehttp.com:3360

Attributes

activex_autorun
true
activex_key
{I78G8V27-88UF-2L1T-8064-2S8723OVASE8}
copy_executable
false
delete_original
true
host_id
HostId-%Rand%
keylogger_dir
C:\Users\Admin\AppData\Roaming\Logs\
lock_executable
false
mutex
TIrKHSHH
offline_keylogger
true
password
`+8n0x<gT)\"Lu5"'A`c?$H="
registry_autorun
true
startup_name
FirstRowAli
use_mutex
true

Targets

- Target
  
  0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225
- Size
  
  118KB
- MD5
  
  c2f29e7622b41f880b6bda678e7a5584
- SHA1
  
  42713213d71d7b8c57e3c79798ce6b99e41889e8
- SHA256
  
  0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225
- SHA512
  
  7177a3632486db69854dff5342e1a10258cabdbfe6077337d734a170cdee1a3f00c65c8f47e45bc26aef7f28c53874f760ec345d1ecbbdfe8d33f8d5b629600b
- SSDEEP
  
  3072:++z7JXnrdFzp886+RMPy5fWMwdWRgjnahKoutjKI7ehMx:Jz75nrz286+RMaLVRgjahKoS
Score

10^/10

netwire botnet discovery persistence rat stealer upx
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Netwire family
  netwire
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetdiscoverypersistenceratstealerupx

behavioral2

netwirebotnetdiscoverypersistenceratstealerupx

© 2018-2025

Terms | Privacy