netwire | a8a14ce7828e2b535969dacda21098712fdb541c1f0ffeae29423b3779a5eecd | Triage

Sharing

General

Target

JaffaCakes118_a8a14ce7828e2b535969dacda21098712fdb541c1f0ffeae29423b3779a5eecd
Size

271KB
Sample

241222-wyltwavmfz
MD5

aa43e96ee33fd21d86c4e64c70b6cfb2
SHA1

e9a8730a440338f7e112d6e99defff67b44bac85
SHA256

a8a14ce7828e2b535969dacda21098712fdb541c1f0ffeae29423b3779a5eecd
SHA512

f6d1d5b1891d29354123b54066922dc81465b107e9853f0898bbb2fe7b02b6f6ec2adf5acf7a40f37d8049b6df49f64442b938ed6b6c55d53d2649cb48148fb1
SSDEEP

6144:W5941BQwL5HHsji+6dU+92rC2BuH3NZY3Lxmzmy/Ywp7EB9NJKoJ:W5y1TL9q6+C2BIZkNmz//wNJlJ

Score

10^/10

netwire botnet discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

iphanyi.edns.biz:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
RDP_SEPT_2022
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
caster123
registry_autorun
false
use_mutex
false

Targets

- Target
  
  Screenshot_06.scr
- Size
  
  280KB
- MD5
  
  1ed5bcc01a8089fd6e3085a78e4956a7
- SHA1
  
  461fd6a2f8e29ebaf1f7e61f05ce1fe4ae4bca10
- SHA256
  
  31ea489cce90c230fba6c502d97bd1fb804f881194e4ee516fc29c8b27b10cc1
- SHA512
  
  e69959d5be1e1239f6903ff1a8a22379ee2fd9cba56231ae5dfc8f6cf39858601bf02152d903daeddfcc9335a2cb54ec38c030c9cb3017ef5f13f66a130c7621
- SSDEEP
  
  6144:cvhvCENP+urb1AlE72pkTbZi/02De/Tj58jaBWtZ1mG:CcbQUk5RwMTjkaBaz
Score

10^/10

netwire botnet discovery persistence rat stealer
- Modifies WinLogon for persistence
  persistence
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Netwire family
  netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetdiscoverypersistenceratstealer

behavioral2

netwirebotnetdiscoverypersistenceratstealer