netwire

General

Target

d1c0185b2941ce20e3c6b02d7ff16d0106b5e690166f787b937338f6fe2df8ea.exe
Size

682KB
Sample

250116-tnxghsyqdl
MD5

327df3dffa9f016c2873040c0a889b4f
SHA1

ea386560a9da0a4eb3cc681abbc600a76a37af5c
SHA256

d1c0185b2941ce20e3c6b02d7ff16d0106b5e690166f787b937338f6fe2df8ea
SHA512

8df1e94a459b83520b65099eb9678a162ff22219090bd0d9b7d9350ab623d9c92a2974b0fbfb5ac861d038a4212243239e9bb620ccfd9585f3419030c52ea03f
SSDEEP

12288:VquErHF6xC9D6DmR1J98w4oknqOKwQAYBrt1F4Uy2Rmqb5BNrU5jNSHZaCn:orl6kD68JmloO6B58NqmqbH5UfS0Cn

Score

10^/10

Malware Config

Extracted

Family

netwire

C2

wordoffice.duckdns.org:6988

Attributes

activex_autorun
false
copy_executable
false
delete_original
true
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
buSWjWbk
offline_keylogger
true
password
123
registry_autorun
false
use_mutex
true

Targets

- Target
  
  d1c0185b2941ce20e3c6b02d7ff16d0106b5e690166f787b937338f6fe2df8ea.exe
- Size
  
  682KB
- MD5
  
  327df3dffa9f016c2873040c0a889b4f
- SHA1
  
  ea386560a9da0a4eb3cc681abbc600a76a37af5c
- SHA256
  
  d1c0185b2941ce20e3c6b02d7ff16d0106b5e690166f787b937338f6fe2df8ea
- SHA512
  
  8df1e94a459b83520b65099eb9678a162ff22219090bd0d9b7d9350ab623d9c92a2974b0fbfb5ac861d038a4212243239e9bb620ccfd9585f3419030c52ea03f
- SSDEEP
  
  12288:VquErHF6xC9D6DmR1J98w4oknqOKwQAYBrt1F4Uy2Rmqb5BNrU5jNSHZaCn:orl6kD68JmloO6B58NqmqbH5UfS0Cn
Score

10^/10

netwire botnet discovery rat stealer upx
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Netwire family
  netwire
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

NetWire RAT payload

Netwire family

AutoIT Executable

Suspicious use of SetThreadContext

UPX packed file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2