netwire | ed35c68140708c925b977f312b250bc247ddabcd52151be10d6d655d1ffe3b12 | Triage

Sharing

General

Target

JaffaCakes118_ed35c68140708c925b977f312b250bc247ddabcd52151be10d6d655d1ffe3b12
Size

499KB
Sample

241222-xd1mzawlem
MD5

de8a349133f1e75d532abf15ed1b063a
SHA1

804c7e853d2fa70b6ccb52b3b1866f79f3745988
SHA256

ed35c68140708c925b977f312b250bc247ddabcd52151be10d6d655d1ffe3b12
SHA512

c6eeeeb44eaebd507ffbfd52c3f61036dba218125ac17b83ec47fcd5fe68c276e25be2d38b06293c09077e5bdfbfbc68b72ba6814a27fbbb9082b0622b41274a
SSDEEP

6144:D3F/dnFZnDkmbaw89FIPlplie1u89w7ipeoyPcEURraUrkSk0D1XZaV694uBp5Mz:x/lbDkmbawsF2blBu8eipe1cjPCpzdf

Score

10^/10

netwire botnet discovery execution persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

kingshakes1.linkpc.net:8181

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Kingshakes
install_path
%AppData%\Windows\Update.exe
lock_executable
false
mutex
cTIkpmVV
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Targets

- Target
  
  JaffaCakes118_ed35c68140708c925b977f312b250bc247ddabcd52151be10d6d655d1ffe3b12
- Size
  
  499KB
- MD5
  
  de8a349133f1e75d532abf15ed1b063a
- SHA1
  
  804c7e853d2fa70b6ccb52b3b1866f79f3745988
- SHA256
  
  ed35c68140708c925b977f312b250bc247ddabcd52151be10d6d655d1ffe3b12
- SHA512
  
  c6eeeeb44eaebd507ffbfd52c3f61036dba218125ac17b83ec47fcd5fe68c276e25be2d38b06293c09077e5bdfbfbc68b72ba6814a27fbbb9082b0622b41274a
- SSDEEP
  
  6144:D3F/dnFZnDkmbaw89FIPlplie1u89w7ipeoyPcEURraUrkSk0D1XZaV694uBp5Mz:x/lbDkmbawsF2blBu8eipe1cjPCpzdf
Score

10^/10

netwire botnet discovery execution persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Netwire family
  netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetdiscoveryexecutionpersistenceratstealer

behavioral2

netwirebotnetdiscoveryexecutionpersistenceratstealer