netwire | 9a228e0b3c3045347437fea03f4f54029f5ae0d98d48c3e84683a67c4cd36960 | Triage

Sharing

General

Target

JaffaCakes118_9a228e0b3c3045347437fea03f4f54029f5ae0d98d48c3e84683a67c4cd36960
Size

317KB
Sample

241230-yw3eysyrfz
MD5

a7c59c7d37b243df368af892ed26a1d2
SHA1

3c3673dc7e0d0cc00ecc12a1263962304ea7ca68
SHA256

9a228e0b3c3045347437fea03f4f54029f5ae0d98d48c3e84683a67c4cd36960
SHA512

908ebcc98c2e3e6ea49a148a26f1d015d091bf36eace5ec0ca32c43fbb72a583f8c083fe1cc23fc5bfde03d7e0a3b5d72e595646f5ecfca416dc1f072c8d29ab
SSDEEP

6144:nt22OeXKYcUiUlT6plGz11a1MD9DxkhwyCbIhFP0VP:nPxlOplGm1M9DxkhwyNhqVP

Score

10^/10

netwire botnet discovery execution rat stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/UQ6WhkQb

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/cjNL9r6c

Extracted

Family

netwire

C2

alice2019.myftp.biz:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
OSCARO2021
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Targets

- Target
  
  C64A54B3D28B6E21F228CE31252ED060CBC4DF936EA074BB4926B793DBC97D93
- Size
  
  401KB
- MD5
  
  a07d9930e3a888839daf68ca4486aa4c
- SHA1
  
  d608ec0dd8f778f5820fb33720256da28e0db19b
- SHA256
  
  c64a54b3d28b6e21f228ce31252ed060cbc4df936ea074bb4926b793dbc97d93
- SHA512
  
  bda8cafa576e8e1e30ec0b267a66cfb01c0624339f49ef3dc5901d9ad39b8ca94d813141de49a52956112641b73273121c3c0349e695439748ddfabe71606b7a
- SSDEEP
  
  12288:7ANwRo+mv8QD4+0V16caYp4SfTgM/gBNkcbma:7AT8QE+kvlfTgTBNkcX
Score

10^/10

discovery execution netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Netwire family
  netwire
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

netwirebotnetdiscoveryexecutionratstealer