netwire | a854daae51fa94c185b26687c0f8f2358be39034d1b41bd67c1f2069e1659d86 | Triage

Submit
Reports

Overview

overview

Static

static

5

BBVA_CONTINENTAL.exe

windows7-x64

BBVA_CONTINENTAL.exe

windows10-2004-x64

Sharing

General

Target

a854daae51fa94c185b26687c0f8f2358be39034d1b41bd67c1f2069e1659d86.zip
Size

458KB
Sample

250327-ahrjjavvht
MD5

c8246d7589ddddecdaecd6e4c01e8620
SHA1

b34eb5f1dd12d390db2547bdfe137e3e1161c71c
SHA256

a854daae51fa94c185b26687c0f8f2358be39034d1b41bd67c1f2069e1659d86
SHA512

9c911ad5c5ae741a8c3ddad5532f9022d02f25b636d8718f793f9466e29635358ffd28af061362ef49f1b1d2c36945d53bcb378f51bb715358bb43d21430a34e
SSDEEP

12288:2/vewwjUvKLu7NUGmOOVgcXwY//yE5T4E:2/mHUqV3XwcyEOE

Score

10^/10

netwire botnet discovery persistence rat stealer upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

BBVA_CONTINENTAL.exe

Resource

win7-20241010-en

netwire botnet discovery persistence rat stealer upx

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

BBVA_CONTINENTAL.exe

Resource

win10v2004-20250314-en

netwire botnet discovery persistence rat stealer upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

43.226.229.43:2030

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
Omega
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
NetWire
use_mutex
false

Targets

- Target
  
  BBVA_CONTINENTAL.exe
- Size
  
  475KB
- MD5
  
  c621bbe4050616a3e086eff0003c0739
- SHA1
  
  5527d8ab10c04aea8d149d9056199895b7d79d0e
- SHA256
  
  de7a446a8d4bd4c53ba8ac5b909252692e79b27cd9e7abb6396e62e22274b3b4
- SHA512
  
  1fc11eaab31db24b848d11097ff9abd1cd3603f34db875dc45328f21ac1a12f6e32da271600035639e8b41e4c6ba6d21bb0fbeeec3d5d3cc70c4a3c6c33bec00
- SSDEEP
  
  12288:talGzgvpec7Cmv1BdWw/2xv3GdfzF4yFv:6TAc+PwexedfjFv
Score

10^/10

netwire botnet discovery persistence rat stealer upx
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Netwire family
  netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwirebotnetdiscoverypersistenceratstealerupx

behavioral2

netwirebotnetdiscoverypersistenceratstealerupx

© 2018-2025

Terms | Privacy