netwire | b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

General

Target

b61d866837ca60df01c1465e028db4c9.exe
Size

3.3MB
MD5

b61d866837ca60df01c1465e028db4c9
SHA1

53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256

b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512

f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3812-2-0x0000000000A10000-0x0000000000A40000-memory.dmp	netwire
behavioral2/memory/3812-3-0x0000000000A1242D-mapping.dmp	netwire
behavioral2/memory/3812-4-0x0000000000A10000-0x0000000000A40000-memory.dmp	netwire
behavioral2/memory/4056-10-0x0000000000E7242D-mapping.dmp	netwire
behavioral2/memory/4056-9-0x0000000000E70000-0x0000000000EA0000-memory.dmp	netwire
behavioral2/memory/4056-12-0x0000000000E70000-0x0000000000EA0000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

fers.exefers.exe

pid process

2316 fers.exe
4056 fers.exe

pid	process
2316	fers.exe
4056	fers.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fers.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	fers.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\fers = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\fers.exe"	fers.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

b61d866837ca60df01c1465e028db4c9.exefers.exe

description	pid	process	target process
PID 576 set thread context of 3812	576	b61d866837ca60df01c1465e028db4c9.exe	b61d866837ca60df01c1465e028db4c9.exe
PID 2316 set thread context of 4056	2316	fers.exe	fers.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

b61d866837ca60df01c1465e028db4c9.exeb61d866837ca60df01c1465e028db4c9.exefers.exe

description	pid	process	target process
PID 576 wrote to memory of 3812	576	b61d866837ca60df01c1465e028db4c9.exe	b61d866837ca60df01c1465e028db4c9.exe
PID 576 wrote to memory of 3812	576	b61d866837ca60df01c1465e028db4c9.exe	b61d866837ca60df01c1465e028db4c9.exe
PID 576 wrote to memory of 3812	576	b61d866837ca60df01c1465e028db4c9.exe	b61d866837ca60df01c1465e028db4c9.exe
PID 576 wrote to memory of 3812	576	b61d866837ca60df01c1465e028db4c9.exe	b61d866837ca60df01c1465e028db4c9.exe
PID 576 wrote to memory of 3812	576	b61d866837ca60df01c1465e028db4c9.exe	b61d866837ca60df01c1465e028db4c9.exe
PID 3812 wrote to memory of 2316	3812	b61d866837ca60df01c1465e028db4c9.exe	fers.exe
PID 3812 wrote to memory of 2316	3812	b61d866837ca60df01c1465e028db4c9.exe	fers.exe
PID 3812 wrote to memory of 2316	3812	b61d866837ca60df01c1465e028db4c9.exe	fers.exe
PID 2316 wrote to memory of 4056	2316	fers.exe	fers.exe
PID 2316 wrote to memory of 4056	2316	fers.exe	fers.exe
PID 2316 wrote to memory of 4056	2316	fers.exe	fers.exe
PID 2316 wrote to memory of 4056	2316	fers.exe	fers.exe
PID 2316 wrote to memory of 4056	2316	fers.exe	fers.exe

C:\Users\Admin\AppData\Local\Temp\b61d866837ca60df01c1465e028db4c9.exe
"C:\Users\Admin\AppData\Local\Temp\b61d866837ca60df01c1465e028db4c9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:576

C:\Users\Admin\AppData\Local\Temp\b61d866837ca60df01c1465e028db4c9.exe
C:\Users\Admin\AppData\Local\Temp\b61d866837ca60df01c1465e028db4c9.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3812

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
C:\Users\Admin\AppData\Roaming\trftkoxoicklgdxkctuphueti84738.png
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2316-5-0x0000000000000000-mapping.dmp

Download
memory/3812-2-0x0000000000A10000-0x0000000000A40000-memory.dmp

Filesize
192KB

Download
memory/3812-3-0x0000000000A1242D-mapping.dmp

Download
memory/3812-4-0x0000000000A10000-0x0000000000A40000-memory.dmp

Filesize
192KB

Download
memory/4056-10-0x0000000000E7242D-mapping.dmp

Download
memory/4056-9-0x0000000000E70000-0x0000000000EA0000-memory.dmp

Filesize
192KB

Download
memory/4056-12-0x0000000000E70000-0x0000000000EA0000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads