netwire | abd18b2d7cfc702e56442f2549808b301f2e0fc214cdf2230d5fbefc9620fd42

General

Target

RFQ-B201902-0064.exe
Size

1.7MB
MD5

d1af8a2f27162d95da244e967d122648
SHA1

9dbc59b6fedd41c1545b4244874608f7d6bd1ec8
SHA256

abd18b2d7cfc702e56442f2549808b301f2e0fc214cdf2230d5fbefc9620fd42
SHA512

ec6b8c4ec0878fa79f5679f0e1b0956b3c9ab15534256d7e0df483a1e0fe47dd64a6c1024bedd3262acf7945b178d13b12a87913f2b4bc17ec9860f197582154

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

RFQ-B201902-0064.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RFQ-B201902-0064.exe\""	RFQ-B201902-0064.exe

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3272-10-0x0000000000400000-0x0000000000434000-memory.dmp	netwire
behavioral2/memory/3272-11-0x000000000040242D-mapping.dmp	netwire
behavioral2/memory/3272-12-0x0000000000400000-0x0000000000434000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 2 IoCs

Processes:

RFQ-B201902-0064.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ-B201902-0064.exe	RFQ-B201902-0064.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ-B201902-0064.exe	RFQ-B201902-0064.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RFQ-B201902-0064.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RFQ-B201902-0064.exe"	RFQ-B201902-0064.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ-B201902-0064.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RFQ-B201902-0064.exe"	RFQ-B201902-0064.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ-B201902-0064.exe

description pid process target process

PID 652 set thread context of 3272 652 RFQ-B201902-0064.exe RFQ-B201902-0064.exe

description	pid	process	target process
PID 652 set thread context of 3272	652	RFQ-B201902-0064.exe	RFQ-B201902-0064.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

RFQ-B201902-0064.exe

description	pid	process	target process
PID 652 wrote to memory of 3272	652	RFQ-B201902-0064.exe	RFQ-B201902-0064.exe
PID 652 wrote to memory of 3272	652	RFQ-B201902-0064.exe	RFQ-B201902-0064.exe
PID 652 wrote to memory of 3272	652	RFQ-B201902-0064.exe	RFQ-B201902-0064.exe
PID 652 wrote to memory of 3272	652	RFQ-B201902-0064.exe	RFQ-B201902-0064.exe
PID 652 wrote to memory of 3272	652	RFQ-B201902-0064.exe	RFQ-B201902-0064.exe
PID 652 wrote to memory of 3272	652	RFQ-B201902-0064.exe	RFQ-B201902-0064.exe
PID 652 wrote to memory of 3272	652	RFQ-B201902-0064.exe	RFQ-B201902-0064.exe
PID 652 wrote to memory of 3272	652	RFQ-B201902-0064.exe	RFQ-B201902-0064.exe
PID 652 wrote to memory of 3272	652	RFQ-B201902-0064.exe	RFQ-B201902-0064.exe
PID 652 wrote to memory of 3272	652	RFQ-B201902-0064.exe	RFQ-B201902-0064.exe
PID 652 wrote to memory of 3272	652	RFQ-B201902-0064.exe	RFQ-B201902-0064.exe
PID 652 wrote to memory of 3272	652	RFQ-B201902-0064.exe	RFQ-B201902-0064.exe

C:\Users\Admin\AppData\Local\Temp\RFQ-B201902-0064.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-B201902-0064.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Local\Temp\RFQ-B201902-0064.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-B201902-0064.exe"
2⤵
PID:3272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/652-2-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/652-3-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/652-5-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/652-6-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/652-7-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/652-8-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/652-9-0x0000000004FF0000-0x000000000502E000-memory.dmp

Filesize
248KB

Download
memory/3272-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-11-0x000000000040242D-mapping.dmp

Download
memory/3272-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads