netwire | 12bc63508f52ba13963e59a56f75d5554fb1aa2b973b16d5db520a011df135e6 | Triage

Submit
Reports

Overview

overview

Static

static

3

12bc63508f...6N.exe

windows7-x64

12bc63508f...6N.exe

windows10-2004-x64

Sharing

General

Target

12bc63508f52ba13963e59a56f75d5554fb1aa2b973b16d5db520a011df135e6N.exe
Size

385KB
Sample

250207-2jwy7aspen
MD5

512281e92d3b3b17ebd7d13adcab06d0
SHA1

65a5e333e325afa8ee05b3015fbfb89f5efdcd51
SHA256

12bc63508f52ba13963e59a56f75d5554fb1aa2b973b16d5db520a011df135e6
SHA512

ab03b5061bcaf7b536ce26f35b25608f92b0033802679cf4fe46fca543ff97f2e5117a0eb0d35e5c6ef168be345bf04ef6e284d9878bbb4f6ad14658b128362c
SSDEEP

6144:QSUomEUi3+sMZ3xEYIrQ3XF+v/Tt0jwVw2Zurr55CUoxUaxL:BUomEFRu3xEPEU/Xw2mr+qm

Score

10^/10

netwire botnet discovery persistence rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

12bc63508f52ba13963e59a56f75d5554fb1aa2b973b16d5db520a011df135e6N.exe

Resource

win7-20241010-en

netwire botnet discovery persistence rat stealer

windows7-x64

12 signatures

120 seconds

Behavioral task

behavioral2

Sample

12bc63508f52ba13963e59a56f75d5554fb1aa2b973b16d5db520a011df135e6N.exe

Resource

win10v2004-20250207-en

netwire botnet discovery persistence rat stealer

windows10-2004-x64

14 signatures

120 seconds

Malware Config

Extracted

Family

netwire

C2

adidogoo.duckdns.org:49523

Attributes

activex_autorun
true
activex_key
{377W0J1T-0EJ3-2F64-B3NB-C83LV855G7TB}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\dfrg\Logs\
lock_executable
false
mutex
jRjJvWdO
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
Defrg
use_mutex
true

Targets

- Target
  
  12bc63508f52ba13963e59a56f75d5554fb1aa2b973b16d5db520a011df135e6N.exe
- Size
  
  385KB
- MD5
  
  512281e92d3b3b17ebd7d13adcab06d0
- SHA1
  
  65a5e333e325afa8ee05b3015fbfb89f5efdcd51
- SHA256
  
  12bc63508f52ba13963e59a56f75d5554fb1aa2b973b16d5db520a011df135e6
- SHA512
  
  ab03b5061bcaf7b536ce26f35b25608f92b0033802679cf4fe46fca543ff97f2e5117a0eb0d35e5c6ef168be345bf04ef6e284d9878bbb4f6ad14658b128362c
- SSDEEP
  
  6144:QSUomEUi3+sMZ3xEYIrQ3XF+v/Tt0jwVw2Zurr55CUoxUaxL:BUomEFRu3xEPEU/Xw2mr+qm
Score

10^/10

netwire botnet discovery persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Netwire family
  netwire
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetdiscoverypersistenceratstealer

behavioral2

netwirebotnetdiscoverypersistenceratstealer

© 2018-2025

Terms | Privacy