netwire | 3a2e02b09f40f8f5a772867049e5afd1196d994ae1e78bca6de331684df44ef7 | Triage

Sharing

General

Target

JaffaCakes118_692f09862fc04949c9eb50373bd46ba0
Size

356KB
Sample

250103-azt1zsvqar
MD5

692f09862fc04949c9eb50373bd46ba0
SHA1

f24b24219e66ff60c6779ac48cd51332b2217b79
SHA256

3a2e02b09f40f8f5a772867049e5afd1196d994ae1e78bca6de331684df44ef7
SHA512

e1b0e3e65f814320022d03411d055e13c0986c5c2a4494629ed71ca3515749084c3a4d5ef292bd7109a7cff73989a38feadefdb4ea1314d4756e12ee66c8eae3
SSDEEP

6144:YREth6OE4b+zQbO43MklZ6aMLZt4ArwRv47ocSpCXsEDiRWkqghKLCJD3monL:5X6BiyMMI04ArDx3Ds3KLCd2S

Score

10^/10

netwire botnet defense_evasion discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

teamviewer.ddns.net:3360

local.cable-modem.org:3360

tvnserver.serveftp.com:3360

Attributes

activex_autorun
true
activex_key
{14KSXKQ0-JJJT-Y358-8D63-IU887U6Y74EA}
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
eHCXhHXM
offline_keylogger
true
password
anjing
registry_autorun
true
startup_name
tvnservers
use_mutex
true

Targets

- Target
  
  JaffaCakes118_692f09862fc04949c9eb50373bd46ba0
- Size
  
  356KB
- MD5
  
  692f09862fc04949c9eb50373bd46ba0
- SHA1
  
  f24b24219e66ff60c6779ac48cd51332b2217b79
- SHA256
  
  3a2e02b09f40f8f5a772867049e5afd1196d994ae1e78bca6de331684df44ef7
- SHA512
  
  e1b0e3e65f814320022d03411d055e13c0986c5c2a4494629ed71ca3515749084c3a4d5ef292bd7109a7cff73989a38feadefdb4ea1314d4756e12ee66c8eae3
- SSDEEP
  
  6144:YREth6OE4b+zQbO43MklZ6aMLZt4ArwRv47ocSpCXsEDiRWkqghKLCJD3monL:5X6BiyMMI04ArDx3Ds3KLCd2S
Score

10^/10

netwire botnet defense_evasion discovery persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Netwire family
  netwire
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Hijack Execution Flow

DLL Search Order Hijacking

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Hijack Execution Flow

DLL Search Order Hijacking

Defense Evasion

Hijack Execution Flow

DLL Search Order Hijacking

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetdefense_evasiondiscoverypersistenceratstealer

behavioral2

netwirebotnetdefense_evasiondiscoverypersistenceratstealer