netwire | b50684c8b67697c9c76aca764ef225bd01eef031976a5237cdbafa0dba98f7f3 | Triage

Submit
Reports

Overview

overview

Static

static

3

784219977E...BE.exe

windows7-x64

784219977E...BE.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_b50684c8b67697c9c76aca764ef225bd01eef031976a5237cdbafa0dba98f7f3
Size

41.4MB
Sample

241222-fq3jnavncp
MD5

3b25bc5a0ec7e70cc5c5f7cd9aa5c6ed
SHA1

4568d5a902db14cc05330b3a335b0378b1718555
SHA256

b50684c8b67697c9c76aca764ef225bd01eef031976a5237cdbafa0dba98f7f3
SHA512

efc06792bca86a4f675e0c0e0d484a715a66b55c4798bc97f805fd1418e3c486ba07858966f9d65acc8c140ba447cdc582bd1623ec1de7b4de7974dbfdaf76e6
SSDEEP

786432:LCIQdlGSFWCUKDGf5QPgUYKhRNwudNLjQWF4p9Cz6kmTBGLG:LCIQj9DiQPgUYmRNwudNoWF4pU66LG

Score

10^/10

netwire botnet discovery execution rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe

Resource

win7-20240903-en

discovery execution

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe

Resource

win10v2004-20241007-en

netwire botnet discovery execution rat stealer

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://i.top4top.io/m_1891i29ay1.mp4

Extracted

Family

netwire

C2

alice2019.myftp.biz:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
FRAPPE2021
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Targets

- Target
  
  784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE
- Size
  
  41.4MB
- MD5
  
  718ed13004aee0ac798c8ba3a6a611b1
- SHA1
  
  d4e03ba4ed89c82a50f4b0286b41ccba5c2fbe26
- SHA256
  
  784219977ec25385fa9ebba5e4f7bd26f9807a7695b9bb3ba5fb910cab8061be
- SHA512
  
  ee06e514905c642bc772f5a38408bac22da3ec82920aa346d374cd7a6c3f64f178bfaa7a6273c820e7dd82ec8cafe8dbd45685c9e68e710f3a0a4b400b1c2c69
- SSDEEP
  
  786432:cIVnXbLTKsTSBIildiswnDD5fuksujJi9gGGDFYUzgzZrBevOJ4j2QGwcrgbW:1VsI+5EfJsG09sFYUzk8vOJ8gwcrSW
Score

10^/10

discovery execution netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Netwire family
  netwire
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

netwirebotnetdiscoveryexecutionratstealer

© 2018-2025

Terms | Privacy