netwire | 7b2bca7cd4dea6c148024bc91d0918b28f9993462cc7199aa6ee32256f0d2b80 | Triage

Sharing

General

Target

2025-04-05_e873d3db9c5dedf47bb49b01711f53d7_amadey_smoke-loader
Size

23.0MB
Sample

250405-rybaxsy1dx
MD5

e873d3db9c5dedf47bb49b01711f53d7
SHA1

08e06fc6afa397e431ad7ca4c0e3265acf713948
SHA256

7b2bca7cd4dea6c148024bc91d0918b28f9993462cc7199aa6ee32256f0d2b80
SHA512

6897c2351f4b73ad641621ed819c6086249922d3cd9fde3bef5770cb0415176ea4ab49291b2b212342607c82ddadb3e583ad2280bb05d9f6445155d2930cce30
SSDEEP

393216:Q8t/QCMfMwqfGr8vOu7deqcbOL78sJwf5tyDAn5aYKLW6:n1QtUwJu5eNo0f5EDAn1KR

Score

10^/10

netwire remcos spot1511 botnet discovery persistence rat stealer

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

Spot1511

C2

nvdiedico.knowsitall.info:3297

dico.is-a-hard-worker.com:3297

roxy.is-by.us:3297

nicholds.dyndns-web.com:3297

nvdiedicozeus.dyndns-web.com:3297

nvdieroxy.servebbs.org:3297

nvdiedicob.is-a-chef.org:3297

nerverdieorcus.is-a-doctor.com:3297

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
rmlogs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Rmxplgdatas-ORUCBL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Extracted

Family

netwire

C2

wire.mine.nu:9702

dico.is-very-bad.org:9702

roxy.dynalias.net:9702

regiskm67.buyshouses.net:9702

zeusnodie.mypets.ws:9702

nvdiedicobies.is-a-hard-worker.com:9702

nvdieroxy.kicks-ass.net:9702

nvdiedicozeuse.webhop.org:9702

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Spot1411
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
Entubebd
offline_keylogger
true
password
0000
registry_autorun
false
use_mutex
true

Targets

- Target
  
  2025-04-05_e873d3db9c5dedf47bb49b01711f53d7_amadey_smoke-loader
- Size
  
  23.0MB
- MD5
  
  e873d3db9c5dedf47bb49b01711f53d7
- SHA1
  
  08e06fc6afa397e431ad7ca4c0e3265acf713948
- SHA256
  
  7b2bca7cd4dea6c148024bc91d0918b28f9993462cc7199aa6ee32256f0d2b80
- SHA512
  
  6897c2351f4b73ad641621ed819c6086249922d3cd9fde3bef5770cb0415176ea4ab49291b2b212342607c82ddadb3e583ad2280bb05d9f6445155d2930cce30
- SSDEEP
  
  393216:Q8t/QCMfMwqfGr8vOu7deqcbOL78sJwf5tyDAn5aYKLW6:n1QtUwJu5eNo0f5EDAn1KR
Score

10^/10

netwire remcos spot1511 botnet discovery persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Netwire family
  netwire
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netwireremcosspot1511botnetdiscoverypersistenceratstealer