netwire

Resubmissions

13-01-2025 05:32

250113-f8h8qs1jgk 10

12-01-2025 18:52

250112-xh8t5sxjcq 10

Sharing

Copy URL

Twitter E-mail

General

Target

7848a7141ed6c9d46d796a4e6d215a41f7ef46d19a97c89431773292f4eb519c.exe
Size

1.4MB
Sample

250113-f8h8qs1jgk
MD5

95e5738e169f05136d6c4e9c4f1b9729
SHA1

c6188d7277f43d23531a5fb7ceeeb52059832441
SHA256

7848a7141ed6c9d46d796a4e6d215a41f7ef46d19a97c89431773292f4eb519c
SHA512

14e583dce536ba93f804d9741a3014ead1d992f9758b7d56048ac264cb0133d5030b26f778980e137030c6e92c9f563eb82f933ecfb7d0517b96a50282bf201a
SSDEEP

24576:ru6J3xO0c+JY5UZ+XCHkGso6Fa720W4njUprvVcC1f2o5RRfgdWYr:Fo0c++OCokGs9Fa+rd1f26RNYr

Score

10^/10

Malware Config

Extracted

Family

netwire

Wealthy2019.com.strangled.net:20190

wealthyme.ddns.net:20190

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
sunshineslisa
install_path
%AppData%\Imgburn\Host.exe
keylogger_dir
%AppData%\Logs\Imgburn\
lock_executable
false
offline_keylogger
true
password
sucess
registry_autorun
false
use_mutex
false

Extracted

Family

warzonerat

wealth.warzonedns.com:5202

Targets

- Target
  
  7848a7141ed6c9d46d796a4e6d215a41f7ef46d19a97c89431773292f4eb519c.exe
- Size
  
  1.4MB
- MD5
  
  95e5738e169f05136d6c4e9c4f1b9729
- SHA1
  
  c6188d7277f43d23531a5fb7ceeeb52059832441
- SHA256
  
  7848a7141ed6c9d46d796a4e6d215a41f7ef46d19a97c89431773292f4eb519c
- SHA512
  
  14e583dce536ba93f804d9741a3014ead1d992f9758b7d56048ac264cb0133d5030b26f778980e137030c6e92c9f563eb82f933ecfb7d0517b96a50282bf201a
- SSDEEP
  
  24576:ru6J3xO0c+JY5UZ+XCHkGso6Fa720W4njUprvVcC1f2o5RRfgdWYr:Fo0c++OCokGs9Fa+rd1f26RNYr
Score

10^/10

netwire warzonerat botnet discovery infostealer rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Netwire family
  netwire
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzonerat family
  warzonerat
- Warzone RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral10 behavioral2 behavioral3 behavioral4 behavioral5 behavioral6 behavioral7 behavioral8 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Targets

NetWire RAT payload

Netwire family

WarzoneRat, AveMaria

Warzonerat family

Warzone RAT payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

AutoIT Executable

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10