netwire | b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

General

Target

b61d866837ca60df01c1465e028db4c9.exe
Size

3.3MB
MD5

b61d866837ca60df01c1465e028db4c9
SHA1

53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256

b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512

f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1784-3-0x000000000009242D-mapping.dmp	netwire
behavioral1/memory/1784-2-0x0000000000090000-0x00000000000C0000-memory.dmp	netwire
behavioral1/memory/1784-4-0x0000000000090000-0x00000000000C0000-memory.dmp	netwire
behavioral1/memory/2020-12-0x000000000009242D-mapping.dmp	netwire
behavioral1/memory/2020-14-0x0000000000090000-0x00000000000C0000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

fers.exefers.exe

pid process

1664 fers.exe
2020 fers.exe
Loads dropped DLL 2 IoCs

Processes:

b61d866837ca60df01c1465e028db4c9.exefers.exe

pid process

1784 b61d866837ca60df01c1465e028db4c9.exe
1664 fers.exe

pid	process
1664	fers.exe
2020	fers.exe

pid	process
1784	b61d866837ca60df01c1465e028db4c9.exe
1664	fers.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fers.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	fers.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\fers = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\fers.exe"	fers.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

b61d866837ca60df01c1465e028db4c9.exefers.exe

description	pid	process	target process
PID 2044 set thread context of 1784	2044	b61d866837ca60df01c1465e028db4c9.exe	b61d866837ca60df01c1465e028db4c9.exe
PID 1664 set thread context of 2020	1664	fers.exe	fers.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

b61d866837ca60df01c1465e028db4c9.exeb61d866837ca60df01c1465e028db4c9.exefers.exe

description	pid	process	target process
PID 2044 wrote to memory of 1784	2044	b61d866837ca60df01c1465e028db4c9.exe	b61d866837ca60df01c1465e028db4c9.exe
PID 2044 wrote to memory of 1784	2044	b61d866837ca60df01c1465e028db4c9.exe	b61d866837ca60df01c1465e028db4c9.exe
PID 2044 wrote to memory of 1784	2044	b61d866837ca60df01c1465e028db4c9.exe	b61d866837ca60df01c1465e028db4c9.exe
PID 2044 wrote to memory of 1784	2044	b61d866837ca60df01c1465e028db4c9.exe	b61d866837ca60df01c1465e028db4c9.exe
PID 2044 wrote to memory of 1784	2044	b61d866837ca60df01c1465e028db4c9.exe	b61d866837ca60df01c1465e028db4c9.exe
PID 2044 wrote to memory of 1784	2044	b61d866837ca60df01c1465e028db4c9.exe	b61d866837ca60df01c1465e028db4c9.exe
PID 2044 wrote to memory of 1784	2044	b61d866837ca60df01c1465e028db4c9.exe	b61d866837ca60df01c1465e028db4c9.exe
PID 2044 wrote to memory of 1784	2044	b61d866837ca60df01c1465e028db4c9.exe	b61d866837ca60df01c1465e028db4c9.exe
PID 2044 wrote to memory of 1784	2044	b61d866837ca60df01c1465e028db4c9.exe	b61d866837ca60df01c1465e028db4c9.exe
PID 1784 wrote to memory of 1664	1784	b61d866837ca60df01c1465e028db4c9.exe	fers.exe
PID 1784 wrote to memory of 1664	1784	b61d866837ca60df01c1465e028db4c9.exe	fers.exe
PID 1784 wrote to memory of 1664	1784	b61d866837ca60df01c1465e028db4c9.exe	fers.exe
PID 1784 wrote to memory of 1664	1784	b61d866837ca60df01c1465e028db4c9.exe	fers.exe
PID 1784 wrote to memory of 1664	1784	b61d866837ca60df01c1465e028db4c9.exe	fers.exe
PID 1784 wrote to memory of 1664	1784	b61d866837ca60df01c1465e028db4c9.exe	fers.exe
PID 1784 wrote to memory of 1664	1784	b61d866837ca60df01c1465e028db4c9.exe	fers.exe
PID 1664 wrote to memory of 2020	1664	fers.exe	fers.exe
PID 1664 wrote to memory of 2020	1664	fers.exe	fers.exe
PID 1664 wrote to memory of 2020	1664	fers.exe	fers.exe
PID 1664 wrote to memory of 2020	1664	fers.exe	fers.exe
PID 1664 wrote to memory of 2020	1664	fers.exe	fers.exe
PID 1664 wrote to memory of 2020	1664	fers.exe	fers.exe
PID 1664 wrote to memory of 2020	1664	fers.exe	fers.exe
PID 1664 wrote to memory of 2020	1664	fers.exe	fers.exe
PID 1664 wrote to memory of 2020	1664	fers.exe	fers.exe

C:\Users\Admin\AppData\Local\Temp\b61d866837ca60df01c1465e028db4c9.exe
"C:\Users\Admin\AppData\Local\Temp\b61d866837ca60df01c1465e028db4c9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\b61d866837ca60df01c1465e028db4c9.exe
C:\Users\Admin\AppData\Local\Temp\b61d866837ca60df01c1465e028db4c9.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
C:\Users\Admin\AppData\Roaming\trftkoxoicklgdxkctuphueti84738.png
MD5
8c6e2f2f47f6433efebd829c18f864d1

SHA1
15ebffc420841a18c1d47b6b40cfd9e7c632cf47

SHA256
94dcac78e40e701792770b08478c6b2c788ec0a21a953d82e6f968a1cef8698d

SHA512
86e2226fdb5bee0369d8f38bfb2e27270b9edd2b2d7c2fba76bacf51e8a53eeee1f21183bb7b75138757f198fe8513c423ce7fcbd7a740f37ca9ee68601c14db

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
memory/1664-6-0x0000000000000000-mapping.dmp

Download
memory/1784-3-0x000000000009242D-mapping.dmp

Download
memory/1784-2-0x0000000000090000-0x00000000000C0000-memory.dmp

Filesize
192KB

Download
memory/1784-4-0x0000000000090000-0x00000000000C0000-memory.dmp

Filesize
192KB

Download
memory/2020-12-0x000000000009242D-mapping.dmp

Download
memory/2020-14-0x0000000000090000-0x00000000000C0000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads