netwire | 8564faf328ce5c253f4b6b3462402634e64ce8caefeb18428c2dcb4d454ee996

General

Target

SafeBuff.exe
Size

1.1MB
MD5

6446daba47a6a46d3f10a1c3504223d0
SHA1

e97d50eb97e3f4d70680d43c2d18c418e207e4fe
SHA256

8564faf328ce5c253f4b6b3462402634e64ce8caefeb18428c2dcb4d454ee996
SHA512

1a33ca90af589f6b8ec0d41836a96c5d1d712fd01818d44c096db9839e7f8e873fed5d191b36911de29f1243bc260c1301328f97d7f3a5f8312ad04853db792d

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

dxyasser0.zapto.org:1212

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
123
registry_autorun
false
startup_name
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2596-141-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2596-142-0x000000000040242D-mapping.dmp	netwire
behavioral2/memory/2596-165-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Suspicious use of SetThreadContext 1 IoCs

Processes:

SafeBuff.exe

description pid process target process

PID 2576 set thread context of 2596 2576 SafeBuff.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2648 schtasks.exe

description	pid	process	target process
PID 2576 set thread context of 2596	2576	SafeBuff.exe	RegSvcs.exe

pid	process
2648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

SafeBuff.exepowershell.exepowershell.exepowershell.exe

pid	process
2576	SafeBuff.exe
2576	SafeBuff.exe
1812	powershell.exe
2580	powershell.exe
2828	powershell.exe
1812	powershell.exe
2580	powershell.exe
2828	powershell.exe
2580	powershell.exe
2828	powershell.exe
1812	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SafeBuff.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2576	SafeBuff.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

SafeBuff.exe

description	pid	process	target process
PID 2576 wrote to memory of 1812	2576	SafeBuff.exe	powershell.exe
PID 2576 wrote to memory of 1812	2576	SafeBuff.exe	powershell.exe
PID 2576 wrote to memory of 1812	2576	SafeBuff.exe	powershell.exe
PID 2576 wrote to memory of 2580	2576	SafeBuff.exe	powershell.exe
PID 2576 wrote to memory of 2580	2576	SafeBuff.exe	powershell.exe
PID 2576 wrote to memory of 2580	2576	SafeBuff.exe	powershell.exe
PID 2576 wrote to memory of 2648	2576	SafeBuff.exe	schtasks.exe
PID 2576 wrote to memory of 2648	2576	SafeBuff.exe	schtasks.exe
PID 2576 wrote to memory of 2648	2576	SafeBuff.exe	schtasks.exe
PID 2576 wrote to memory of 2828	2576	SafeBuff.exe	powershell.exe
PID 2576 wrote to memory of 2828	2576	SafeBuff.exe	powershell.exe
PID 2576 wrote to memory of 2828	2576	SafeBuff.exe	powershell.exe
PID 2576 wrote to memory of 3124	2576	SafeBuff.exe	RegSvcs.exe
PID 2576 wrote to memory of 3124	2576	SafeBuff.exe	RegSvcs.exe
PID 2576 wrote to memory of 3124	2576	SafeBuff.exe	RegSvcs.exe
PID 2576 wrote to memory of 2596	2576	SafeBuff.exe	RegSvcs.exe
PID 2576 wrote to memory of 2596	2576	SafeBuff.exe	RegSvcs.exe
PID 2576 wrote to memory of 2596	2576	SafeBuff.exe	RegSvcs.exe
PID 2576 wrote to memory of 2596	2576	SafeBuff.exe	RegSvcs.exe
PID 2576 wrote to memory of 2596	2576	SafeBuff.exe	RegSvcs.exe
PID 2576 wrote to memory of 2596	2576	SafeBuff.exe	RegSvcs.exe
PID 2576 wrote to memory of 2596	2576	SafeBuff.exe	RegSvcs.exe
PID 2576 wrote to memory of 2596	2576	SafeBuff.exe	RegSvcs.exe
PID 2576 wrote to memory of 2596	2576	SafeBuff.exe	RegSvcs.exe
PID 2576 wrote to memory of 2596	2576	SafeBuff.exe	RegSvcs.exe
PID 2576 wrote to memory of 2596	2576	SafeBuff.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\SafeBuff.exe
"C:\Users\Admin\AppData\Local\Temp\SafeBuff.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SafeBuff.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CShpLsZqsIKINW.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CShpLsZqsIKINW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEECA.tmp"
2⤵
- Creates scheduled task(s)
PID:2648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CShpLsZqsIKINW.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:3124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c47bef22c35366a69939f4392af5d61f

SHA1
c2d0bb37e63f06398d0ace0dc34354717d9ab2c4

SHA256
ff9c10a5a1f8fd04f7144e855c60a699576798e8c61868fc7b7334d2f2630554

SHA512
f95f68ac9ee2802517c22e1962b7bc80e014f81acf3ce4a484f74069664567f9bdbd07ba3a0d8cda982c408886014e82adf2ceacb54fe68da31abb7ab8a6cd31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
306e0df0eeeaba45349ba84962f976cc

SHA1
1905d7e481b479e51400991218a94cd66393fc77

SHA256
0741347adbd8e483e70944a85bb02efe1a2340096a23a3a35ce994a16af6d2ae

SHA512
fe54479243434334a95d49d68c57c14e9ff42398a30a086eb00f65ce49de64d0cd88e03765a95dee14c1822f0b57434c3da3f7a8aae32546a28c7f5f0fb6402f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEECA.tmp
MD5
6f22c92440bfd93c0e23c81b5c86f118

SHA1
e2dd7484845ec2336269991b324c4d50694ba440

SHA256
e7ef46d1368cbf02bc41387d43db6fe02472a4d552596e95576d19871a168587

SHA512
c5453ff112766588b0f461cabe8bc18f2bffaa7e5111c34927d99a6f52855bb8260db3f726b8bb781579ce991e6cb9cff5b140b0d12ac0c9246e3f100f8c1eff

Download Submit
memory/1812-152-0x0000000007B10000-0x0000000007B11000-memory.dmp

Filesize
4KB

Download
memory/1812-148-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/1812-145-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/1812-143-0x0000000007040000-0x0000000007041000-memory.dmp

Filesize
4KB

Download
memory/1812-139-0x0000000006B42000-0x0000000006B43000-memory.dmp

Filesize
4KB

Download
memory/1812-124-0x0000000000000000-mapping.dmp

Download
memory/1812-137-0x0000000006B40000-0x0000000006B41000-memory.dmp

Filesize
4KB

Download
memory/1812-277-0x0000000006B43000-0x0000000006B44000-memory.dmp

Filesize
4KB

Download
memory/1812-131-0x0000000006A70000-0x0000000006A71000-memory.dmp

Filesize
4KB

Download
memory/1812-133-0x0000000007180000-0x0000000007181000-memory.dmp

Filesize
4KB

Download
memory/1812-233-0x000000007EE60000-0x000000007EE61000-memory.dmp

Filesize
4KB

Download
memory/1812-168-0x0000000008240000-0x0000000008241000-memory.dmp

Filesize
4KB

Download
memory/2576-123-0x0000000006430000-0x000000000646D000-memory.dmp

Filesize
244KB

Download
memory/2576-117-0x0000000007E50000-0x0000000007E51000-memory.dmp

Filesize
4KB

Download
memory/2576-116-0x00000000082B0000-0x00000000082B1000-memory.dmp

Filesize
4KB

Download
memory/2576-118-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

Filesize
4KB

Download
memory/2576-114-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/2576-119-0x0000000007DD0000-0x0000000007DD1000-memory.dmp

Filesize
4KB

Download
memory/2576-122-0x0000000005F10000-0x0000000005F82000-memory.dmp

Filesize
456KB

Download
memory/2576-121-0x0000000001AA0000-0x0000000001AAF000-memory.dmp

Filesize
60KB

Download
memory/2576-120-0x0000000007DB0000-0x00000000082AE000-memory.dmp

Filesize
5.0MB

Download
memory/2580-211-0x0000000009140000-0x0000000009141000-memory.dmp

Filesize
4KB

Download
memory/2580-159-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

Filesize
4KB

Download
memory/2580-273-0x0000000004903000-0x0000000004904000-memory.dmp

Filesize
4KB

Download
memory/2580-125-0x0000000000000000-mapping.dmp

Download
memory/2580-138-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/2580-231-0x000000007ED10000-0x000000007ED11000-memory.dmp

Filesize
4KB

Download
memory/2580-140-0x0000000004902000-0x0000000004903000-memory.dmp

Filesize
4KB

Download
memory/2580-191-0x0000000009160000-0x0000000009193000-memory.dmp

Filesize
204KB

Download
memory/2596-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-142-0x000000000040242D-mapping.dmp

Download
memory/2648-126-0x0000000000000000-mapping.dmp

Download
memory/2828-167-0x0000000006F12000-0x0000000006F13000-memory.dmp

Filesize
4KB

Download
memory/2828-232-0x000000007E230000-0x000000007E231000-memory.dmp

Filesize
4KB

Download
memory/2828-162-0x00000000085B0000-0x00000000085B1000-memory.dmp

Filesize
4KB

Download
memory/2828-269-0x0000000006F13000-0x0000000006F14000-memory.dmp

Filesize
4KB

Download
memory/2828-166-0x0000000006F10000-0x0000000006F11000-memory.dmp

Filesize
4KB

Download
memory/2828-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads