netwire | 9a9ddbcb74bc37b8eb71fc0d4e3840e2e6435f7c9deb51f7e8e7f0bbd0cee473

General

Target

6E6FFC38D9C88CA34562E0369AC22A75.exe
Size

4.7MB
MD5

6e6ffc38d9c88ca34562e0369ac22a75
SHA1

b8788ca1f0102145580e6cffe8528aa82105092d
SHA256

9a9ddbcb74bc37b8eb71fc0d4e3840e2e6435f7c9deb51f7e8e7f0bbd0cee473
SHA512

8c89eade7a41d73151524fd01baaee77308271cfc3bd13160b9c25d8a33a57c9aa391cc438099970d9086cb3adf7403031242dc0185b538e97617baa119a7f67

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

clients.enigmasolutions.xyz:54573

Attributes

activex_autorun
false
activex_key
copy_executable
true
delete_original
false
host_id
Cleint-%Rand%
install_path
%AppData%\Microsoft\MMC\ruj.exe
keylogger_dir
%AppData%\msr\
lock_executable
false
mutex
offline_keylogger
true
password
\tx>N(6H`Om2k/cWJBp,""bUbAd1-0Mg
registry_autorun
true
startup_name
ruj
use_mutex
false

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3836-114-0x0000000001660000-0x0000000001690000-memory.dmp	netwire
behavioral2/memory/3836-115-0x000000000166242D-mapping.dmp	netwire
behavioral2/memory/3836-119-0x0000000001660000-0x0000000001690000-memory.dmp	netwire
behavioral2/memory/1248-121-0x00000000004F0000-0x0000000000520000-memory.dmp	netwire
behavioral2/memory/1248-122-0x00000000004F242D-mapping.dmp	netwire
behavioral2/memory/1248-124-0x00000000004F0000-0x0000000000520000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

ruj.exeruj.exe

pid process

3860 ruj.exe
1248 ruj.exe

pid	process
3860	ruj.exe
1248	ruj.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ruj.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	ruj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MMC\\ruj.exe"	ruj.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6E6FFC38D9C88CA34562E0369AC22A75.exeruj.exe

description	pid	process	target process
PID 4064 set thread context of 3836	4064	6E6FFC38D9C88CA34562E0369AC22A75.exe	6E6FFC38D9C88CA34562E0369AC22A75.exe
PID 3860 set thread context of 1248	3860	ruj.exe	ruj.exe

autoit_exe 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

6E6FFC38D9C88CA34562E0369AC22A75.exe6E6FFC38D9C88CA34562E0369AC22A75.exeruj.exe

description	pid	process	target process
PID 4064 wrote to memory of 3836	4064	6E6FFC38D9C88CA34562E0369AC22A75.exe	6E6FFC38D9C88CA34562E0369AC22A75.exe
PID 4064 wrote to memory of 3836	4064	6E6FFC38D9C88CA34562E0369AC22A75.exe	6E6FFC38D9C88CA34562E0369AC22A75.exe
PID 4064 wrote to memory of 3836	4064	6E6FFC38D9C88CA34562E0369AC22A75.exe	6E6FFC38D9C88CA34562E0369AC22A75.exe
PID 4064 wrote to memory of 3836	4064	6E6FFC38D9C88CA34562E0369AC22A75.exe	6E6FFC38D9C88CA34562E0369AC22A75.exe
PID 4064 wrote to memory of 3836	4064	6E6FFC38D9C88CA34562E0369AC22A75.exe	6E6FFC38D9C88CA34562E0369AC22A75.exe
PID 3836 wrote to memory of 3860	3836	6E6FFC38D9C88CA34562E0369AC22A75.exe	ruj.exe
PID 3836 wrote to memory of 3860	3836	6E6FFC38D9C88CA34562E0369AC22A75.exe	ruj.exe
PID 3836 wrote to memory of 3860	3836	6E6FFC38D9C88CA34562E0369AC22A75.exe	ruj.exe
PID 3860 wrote to memory of 1248	3860	ruj.exe	ruj.exe
PID 3860 wrote to memory of 1248	3860	ruj.exe	ruj.exe
PID 3860 wrote to memory of 1248	3860	ruj.exe	ruj.exe
PID 3860 wrote to memory of 1248	3860	ruj.exe	ruj.exe
PID 3860 wrote to memory of 1248	3860	ruj.exe	ruj.exe

C:\Users\Admin\AppData\Local\Temp\6E6FFC38D9C88CA34562E0369AC22A75.exe
"C:\Users\Admin\AppData\Local\Temp\6E6FFC38D9C88CA34562E0369AC22A75.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4064

C:\Users\Admin\AppData\Local\Temp\6E6FFC38D9C88CA34562E0369AC22A75.exe
C:\Users\Admin\AppData\Local\Temp\6E6FFC38D9C88CA34562E0369AC22A75.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3836

C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3860

C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe
MD5
6e6ffc38d9c88ca34562e0369ac22a75

SHA1
b8788ca1f0102145580e6cffe8528aa82105092d

SHA256
9a9ddbcb74bc37b8eb71fc0d4e3840e2e6435f7c9deb51f7e8e7f0bbd0cee473

SHA512
8c89eade7a41d73151524fd01baaee77308271cfc3bd13160b9c25d8a33a57c9aa391cc438099970d9086cb3adf7403031242dc0185b538e97617baa119a7f67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe
MD5
6e6ffc38d9c88ca34562e0369ac22a75

SHA1
b8788ca1f0102145580e6cffe8528aa82105092d

SHA256
9a9ddbcb74bc37b8eb71fc0d4e3840e2e6435f7c9deb51f7e8e7f0bbd0cee473

SHA512
8c89eade7a41d73151524fd01baaee77308271cfc3bd13160b9c25d8a33a57c9aa391cc438099970d9086cb3adf7403031242dc0185b538e97617baa119a7f67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe
MD5
6e6ffc38d9c88ca34562e0369ac22a75

SHA1
b8788ca1f0102145580e6cffe8528aa82105092d

SHA256
9a9ddbcb74bc37b8eb71fc0d4e3840e2e6435f7c9deb51f7e8e7f0bbd0cee473

SHA512
8c89eade7a41d73151524fd01baaee77308271cfc3bd13160b9c25d8a33a57c9aa391cc438099970d9086cb3adf7403031242dc0185b538e97617baa119a7f67

Download Submit
C:\Users\Admin\AppData\Roaming\rnwbdsbnhxgawywbawodncqsj20596.png
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1248-121-0x00000000004F0000-0x0000000000520000-memory.dmp

Filesize
192KB

Download
memory/1248-122-0x00000000004F242D-mapping.dmp

Download
memory/1248-124-0x00000000004F0000-0x0000000000520000-memory.dmp

Filesize
192KB

Download
memory/3836-114-0x0000000001660000-0x0000000001690000-memory.dmp

Filesize
192KB

Download
memory/3836-115-0x000000000166242D-mapping.dmp

Download
memory/3836-119-0x0000000001660000-0x0000000001690000-memory.dmp

Filesize
192KB

Download
memory/3860-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads