netwire | 9a9ddbcb74bc37b8eb71fc0d4e3840e2e6435f7c9deb51f7e8e7f0bbd0cee473

General

Target

6E6FFC38D9C88CA34562E0369AC22A75.exe
Size

4.7MB
MD5

6e6ffc38d9c88ca34562e0369ac22a75
SHA1

b8788ca1f0102145580e6cffe8528aa82105092d
SHA256

9a9ddbcb74bc37b8eb71fc0d4e3840e2e6435f7c9deb51f7e8e7f0bbd0cee473
SHA512

8c89eade7a41d73151524fd01baaee77308271cfc3bd13160b9c25d8a33a57c9aa391cc438099970d9086cb3adf7403031242dc0185b538e97617baa119a7f67

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

clients.enigmasolutions.xyz:54573

Attributes

activex_autorun
false
activex_key
copy_executable
true
delete_original
false
host_id
Cleint-%Rand%
install_path
%AppData%\Microsoft\MMC\ruj.exe
keylogger_dir
%AppData%\msr\
lock_executable
false
mutex
offline_keylogger
true
password
\tx>N(6H`Om2k/cWJBp,""bUbAd1-0Mg
registry_autorun
true
startup_name
ruj
use_mutex
false

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1784-61-0x000000000008242D-mapping.dmp	netwire
behavioral1/memory/1784-60-0x0000000000080000-0x00000000000B0000-memory.dmp	netwire
behavioral1/memory/1784-63-0x0000000000080000-0x00000000000B0000-memory.dmp	netwire
behavioral1/memory/1460-70-0x00000000000E0000-0x0000000000110000-memory.dmp	netwire
behavioral1/memory/1460-71-0x00000000000E242D-mapping.dmp	netwire
behavioral1/memory/1460-74-0x00000000000E0000-0x0000000000110000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

ruj.exeruj.exe

pid process

868 ruj.exe
1460 ruj.exe
Loads dropped DLL 1 IoCs

Processes:

6E6FFC38D9C88CA34562E0369AC22A75.exe

pid process

1784 6E6FFC38D9C88CA34562E0369AC22A75.exe

pid	process
868	ruj.exe
1460	ruj.exe

pid	process
1784	6E6FFC38D9C88CA34562E0369AC22A75.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ruj.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	ruj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MMC\\ruj.exe"	ruj.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6E6FFC38D9C88CA34562E0369AC22A75.exeruj.exe

description	pid	process	target process
PID 1984 set thread context of 1784	1984	6E6FFC38D9C88CA34562E0369AC22A75.exe	6E6FFC38D9C88CA34562E0369AC22A75.exe
PID 868 set thread context of 1460	868	ruj.exe	ruj.exe

autoit_exe 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

6E6FFC38D9C88CA34562E0369AC22A75.exe6E6FFC38D9C88CA34562E0369AC22A75.exeruj.exe

description	pid	process	target process
PID 1984 wrote to memory of 1784	1984	6E6FFC38D9C88CA34562E0369AC22A75.exe	6E6FFC38D9C88CA34562E0369AC22A75.exe
PID 1984 wrote to memory of 1784	1984	6E6FFC38D9C88CA34562E0369AC22A75.exe	6E6FFC38D9C88CA34562E0369AC22A75.exe
PID 1984 wrote to memory of 1784	1984	6E6FFC38D9C88CA34562E0369AC22A75.exe	6E6FFC38D9C88CA34562E0369AC22A75.exe
PID 1984 wrote to memory of 1784	1984	6E6FFC38D9C88CA34562E0369AC22A75.exe	6E6FFC38D9C88CA34562E0369AC22A75.exe
PID 1984 wrote to memory of 1784	1984	6E6FFC38D9C88CA34562E0369AC22A75.exe	6E6FFC38D9C88CA34562E0369AC22A75.exe
PID 1984 wrote to memory of 1784	1984	6E6FFC38D9C88CA34562E0369AC22A75.exe	6E6FFC38D9C88CA34562E0369AC22A75.exe
PID 1784 wrote to memory of 868	1784	6E6FFC38D9C88CA34562E0369AC22A75.exe	ruj.exe
PID 1784 wrote to memory of 868	1784	6E6FFC38D9C88CA34562E0369AC22A75.exe	ruj.exe
PID 1784 wrote to memory of 868	1784	6E6FFC38D9C88CA34562E0369AC22A75.exe	ruj.exe
PID 1784 wrote to memory of 868	1784	6E6FFC38D9C88CA34562E0369AC22A75.exe	ruj.exe
PID 868 wrote to memory of 1460	868	ruj.exe	ruj.exe
PID 868 wrote to memory of 1460	868	ruj.exe	ruj.exe
PID 868 wrote to memory of 1460	868	ruj.exe	ruj.exe
PID 868 wrote to memory of 1460	868	ruj.exe	ruj.exe
PID 868 wrote to memory of 1460	868	ruj.exe	ruj.exe
PID 868 wrote to memory of 1460	868	ruj.exe	ruj.exe

C:\Users\Admin\AppData\Local\Temp\6E6FFC38D9C88CA34562E0369AC22A75.exe
"C:\Users\Admin\AppData\Local\Temp\6E6FFC38D9C88CA34562E0369AC22A75.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\6E6FFC38D9C88CA34562E0369AC22A75.exe
C:\Users\Admin\AppData\Local\Temp\6E6FFC38D9C88CA34562E0369AC22A75.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe
MD5
6e6ffc38d9c88ca34562e0369ac22a75

SHA1
b8788ca1f0102145580e6cffe8528aa82105092d

SHA256
9a9ddbcb74bc37b8eb71fc0d4e3840e2e6435f7c9deb51f7e8e7f0bbd0cee473

SHA512
8c89eade7a41d73151524fd01baaee77308271cfc3bd13160b9c25d8a33a57c9aa391cc438099970d9086cb3adf7403031242dc0185b538e97617baa119a7f67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe
MD5
6e6ffc38d9c88ca34562e0369ac22a75

SHA1
b8788ca1f0102145580e6cffe8528aa82105092d

SHA256
9a9ddbcb74bc37b8eb71fc0d4e3840e2e6435f7c9deb51f7e8e7f0bbd0cee473

SHA512
8c89eade7a41d73151524fd01baaee77308271cfc3bd13160b9c25d8a33a57c9aa391cc438099970d9086cb3adf7403031242dc0185b538e97617baa119a7f67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe
MD5
6e6ffc38d9c88ca34562e0369ac22a75

SHA1
b8788ca1f0102145580e6cffe8528aa82105092d

SHA256
9a9ddbcb74bc37b8eb71fc0d4e3840e2e6435f7c9deb51f7e8e7f0bbd0cee473

SHA512
8c89eade7a41d73151524fd01baaee77308271cfc3bd13160b9c25d8a33a57c9aa391cc438099970d9086cb3adf7403031242dc0185b538e97617baa119a7f67

Download Submit
C:\Users\Admin\AppData\Roaming\rnwbdsbnhxgawywbawodncqsj20596.png
MD5
33b6af30035a8ab1c4814143a8aad65b

SHA1
50971cbbf169b38e32ffd445a4802296d4ee72c5

SHA256
e380447d53029bb25e0bf687ecf8772a7726af889d0ef9a6e486691425735e7e

SHA512
7e48a50ac3e79846d3f1343212fb323192466b4c1d9ea8cda1cad8bed54239136e542706ae44bf18f12a935bb1eb7b1e58e47d74ca7867363cc66aaa37b85395

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe
MD5
6e6ffc38d9c88ca34562e0369ac22a75

SHA1
b8788ca1f0102145580e6cffe8528aa82105092d

SHA256
9a9ddbcb74bc37b8eb71fc0d4e3840e2e6435f7c9deb51f7e8e7f0bbd0cee473

SHA512
8c89eade7a41d73151524fd01baaee77308271cfc3bd13160b9c25d8a33a57c9aa391cc438099970d9086cb3adf7403031242dc0185b538e97617baa119a7f67

Download Submit
memory/868-65-0x0000000000000000-mapping.dmp

Download
memory/1460-70-0x00000000000E0000-0x0000000000110000-memory.dmp

Filesize
192KB

Download
memory/1460-71-0x00000000000E242D-mapping.dmp

Download
memory/1460-74-0x00000000000E0000-0x0000000000110000-memory.dmp

Filesize
192KB

Download
memory/1784-63-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/1784-60-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/1784-61-0x000000000008242D-mapping.dmp

Download
memory/1984-59-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads