netwire | cf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42

General

Target

467e17b8d44626b7456716680e3d043d.exe
Size

349KB
MD5

467e17b8d44626b7456716680e3d043d
SHA1

6636511ae14abb0f2554199b4ed8977def1d9b8a
SHA256

cf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42
SHA512

5f3a0f47bfe3f1784849c9ddedc30e489b5d37cbb0a73c488ab58efc7a777d0d5e0c5a5abef63661166003b623224d6990b8baa160d6e398dc804b4c2fb941a7

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

66.154.103.106:13374

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
myphone
install_path
keylogger_dir
lock_executable
false
mutex
offline_keylogger
false
password
Password
registry_autorun
false
startup_name
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1684-64-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/1684-63-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1684-66-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader = "C:\\Users\\Admin\\AppData\\Local\\Adobe Reader.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

467e17b8d44626b7456716680e3d043d.exe

description pid process target process

PID 1072 set thread context of 1684 1072 467e17b8d44626b7456716680e3d043d.exe calc.exe

description	pid	process	target process
PID 1072 set thread context of 1684	1072	467e17b8d44626b7456716680e3d043d.exe	calc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

467e17b8d44626b7456716680e3d043d.execmd.exe

description	pid	process	target process
PID 1072 wrote to memory of 1768	1072	467e17b8d44626b7456716680e3d043d.exe	cmd.exe
PID 1072 wrote to memory of 1768	1072	467e17b8d44626b7456716680e3d043d.exe	cmd.exe
PID 1072 wrote to memory of 1768	1072	467e17b8d44626b7456716680e3d043d.exe	cmd.exe
PID 1072 wrote to memory of 1768	1072	467e17b8d44626b7456716680e3d043d.exe	cmd.exe
PID 1768 wrote to memory of 1712	1768	cmd.exe	reg.exe
PID 1768 wrote to memory of 1712	1768	cmd.exe	reg.exe
PID 1768 wrote to memory of 1712	1768	cmd.exe	reg.exe
PID 1768 wrote to memory of 1712	1768	cmd.exe	reg.exe
PID 1072 wrote to memory of 1684	1072	467e17b8d44626b7456716680e3d043d.exe	calc.exe
PID 1072 wrote to memory of 1684	1072	467e17b8d44626b7456716680e3d043d.exe	calc.exe
PID 1072 wrote to memory of 1684	1072	467e17b8d44626b7456716680e3d043d.exe	calc.exe
PID 1072 wrote to memory of 1684	1072	467e17b8d44626b7456716680e3d043d.exe	calc.exe
PID 1072 wrote to memory of 1684	1072	467e17b8d44626b7456716680e3d043d.exe	calc.exe
PID 1072 wrote to memory of 1684	1072	467e17b8d44626b7456716680e3d043d.exe	calc.exe
PID 1072 wrote to memory of 1684	1072	467e17b8d44626b7456716680e3d043d.exe	calc.exe
PID 1072 wrote to memory of 1684	1072	467e17b8d44626b7456716680e3d043d.exe	calc.exe
PID 1072 wrote to memory of 1684	1072	467e17b8d44626b7456716680e3d043d.exe	calc.exe
PID 1072 wrote to memory of 1684	1072	467e17b8d44626b7456716680e3d043d.exe	calc.exe
PID 1072 wrote to memory of 1684	1072	467e17b8d44626b7456716680e3d043d.exe	calc.exe
PID 1072 wrote to memory of 1684	1072	467e17b8d44626b7456716680e3d043d.exe	calc.exe

C:\Users\Admin\AppData\Local\Temp\467e17b8d44626b7456716680e3d043d.exe
"C:\Users\Admin\AppData\Local\Temp\467e17b8d44626b7456716680e3d043d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\467e17b8d44626b7456716680e3d043d.exe" "C:\Users\%username%\AppData\Local\Adobe Reader.exe" & REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Reader" /t REG_SZ /F /D "C:\Users\%username%\AppData\Local\Adobe Reader.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Reader" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Adobe Reader.exe"
3⤵
- Adds Run key to start application
PID:1712

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
2⤵
PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1072-60-0x0000000075411000-0x0000000075413000-memory.dmp

Filesize
8KB

Download
memory/1684-64-0x000000000040242D-mapping.dmp

Download
memory/1684-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-62-0x0000000000000000-mapping.dmp

Download
memory/1768-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads