netwire | fd43f0a3aa3122d62d50085980767dba08ddfeef9db3bfbb6ba31d1bcc720594

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
09/03/2025, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-09_5fe11b99b677a2003daabb664d6c0fcf_bkransomware_hijackloader.exe
Size

3.3MB
MD5

5fe11b99b677a2003daabb664d6c0fcf
SHA1

fc867bb1da1d509e77c21e72915e64f74f600c0e
SHA256

fd43f0a3aa3122d62d50085980767dba08ddfeef9db3bfbb6ba31d1bcc720594
SHA512

cd6907c3d18b8410370397a2d266361b78e552a89d0d9f1fdc1d9d0b802029c08a40aff77cd61758218a7ed37eeb4aeab4d8235000c995191418a7b7a548b7fa
SSDEEP

98304:EaAHG4Ah2icXUrTFrE2cInIpzd5TGFLOAkGkz9YgBjHKnP7:t9w++pzd5TGFLOPYgHKnP7

Score

10^/10

netwire botnet discovery rat stealer

Malware Config

Extracted

Family

netwire

s2awscloudupdates.com:8081

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
offline_keylogger
false
password
happy666
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/1732-1-0x0000000000310000-0x0000000000355000-memory.dmp	netwire
behavioral1/memory/1732-3-0x0000000000360000-0x00000000003AF000-memory.dmp	netwire
behavioral1/memory/1732-2-0x0000000000360000-0x00000000003AF000-memory.dmp	netwire
behavioral1/memory/1732-4-0x0000000000360000-0x00000000003AF000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-09_5fe11b99b677a2003daabb664d6c0fcf_bkransomware_hijackloader.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-09_5fe11b99b677a2003daabb664d6c0fcf_bkransomware_hijackloader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-09_5fe11b99b677a2003daabb664d6c0fcf_bkransomware_hijackloader.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1732-0-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/1732-1-0x0000000000310000-0x0000000000355000-memory.dmp

Filesize
276KB

Download
memory/1732-3-0x0000000000360000-0x00000000003AF000-memory.dmp

Filesize
316KB

Download
memory/1732-2-0x0000000000360000-0x00000000003AF000-memory.dmp

Filesize
316KB

Download
memory/1732-4-0x0000000000360000-0x00000000003AF000-memory.dmp

Filesize
316KB

Download
memory/1732-5-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download