netwire | 166fbb6582d9134b959740aa61483aa2d1a7a3cc75fce51c186a2338c3d59c5a | Triage

Submit
Reports

Overview

overview

Static

static

5

7654eb53d4...3c.exe

windows7-x64

7654eb53d4...3c.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_166fbb6582d9134b959740aa61483aa2d1a7a3cc75fce51c186a2338c3d59c5a
Size

2.8MB
Sample

241225-qkkrrstpfp
MD5

418fa15769c1c86fc48c2998160c9eeb
SHA1

cb219f11b8f92593d1ae3c5c21137952584949c7
SHA256

166fbb6582d9134b959740aa61483aa2d1a7a3cc75fce51c186a2338c3d59c5a
SHA512

46634ec127d56fa982b82ce28d03f46beb1dc5c6e03d1a438411cd960638f80512f51fc75bed1632f0b4dfa3d4e43eabf86552cf0ce4a3216504334c42c0ab83
SSDEEP

49152:ERGUQKc8qVoo+BPOJ2JYrvERFgvcicDO939QN7C3e4AZNeCEbSVS7L:aGz8y+BA2JBScicS939QNu3zu4CEx/

Score

10^/10

netwire botnet discovery persistence rat stealer

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

7654eb53d495fab9d93ca0d1deb92538536c3fb8a01619615328ae70d365243c.exe

Resource

win7-20241010-en

netwire botnet discovery persistence rat stealer

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

7654eb53d495fab9d93ca0d1deb92538536c3fb8a01619615328ae70d365243c.exe

Resource

win10v2004-20241007-en

netwire botnet discovery persistence rat stealer

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

clients.enigmasolutions.xyz:54573

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
Cleint-%Rand%
install_path
%AppData%\Microsoft\Speech\eurj.exe
keylogger_dir
%AppData%\msr\
lock_executable
false
offline_keylogger
true
password
\tx>N(6H`Om2k/cWJBp,""bUbAd1-0Mg
registry_autorun
true
startup_name
eurj
use_mutex
false

Targets

- Target
  
  7654eb53d495fab9d93ca0d1deb92538536c3fb8a01619615328ae70d365243c
- Size
  
  3.1MB
- MD5
  
  53b5306d77c1b44d375ebca82dd680ce
- SHA1
  
  49ecb91d93136097f0cf9b6691effdf6fe4b755c
- SHA256
  
  7654eb53d495fab9d93ca0d1deb92538536c3fb8a01619615328ae70d365243c
- SHA512
  
  1e5baf3f7d892fb7ef1abe9ddf6bc28c039c764c730e3837bea57719579f507eff965688efc6cbdc74259640cb5f500102f51111dda5a434e5f01686babcc8e3
- SSDEEP
  
  49152:ch+ZkldoPK8YaYT6Ce9IwaCVV6GGMSqBhjwjHsNaw1kFe0wrkKqFKyqgUqvxu1yQ:N2cPK8hIwaeV6GG9iawuFB6NDglk1P
Score

10^/10

netwire botnet discovery persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Netwire family
  netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetdiscoverypersistenceratstealer

behavioral2

netwirebotnetdiscoverypersistenceratstealer

© 2018-2025

Terms | Privacy