netwire | 57d5c01633ef2f845946bf397ef571ba5c0e0afaafce8756d7811d7569f4b024

General

Target

P-Order.scr.exe
Size

876KB
MD5

6cf82e76161361d385c53652fdba1992
SHA1

642276d01e7d4c7fc2fa8202025173b8abb3c221
SHA256

57d5c01633ef2f845946bf397ef571ba5c0e0afaafce8756d7811d7569f4b024
SHA512

939b26dc20dde77729f9d1ecfb9495b6bcce5a7514a44e87b2bee3dd427b967e568162b2c18e6850bbb92616452739b247e102b74f8c40bda8cad1fcc8277331

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

harold.ns01.info:3606

Attributes

activex_autorun
false
activex_key
copy_executable
true
delete_original
false
host_id
prim
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
eApkLVIW
offline_keylogger
true
password
master12
registry_autorun
false
startup_name
use_mutex
true

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2336-126-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2336-127-0x000000000040242D-mapping.dmp	netwire
behavioral2/memory/2336-133-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3872-139-0x0000000007D30000-0x000000000822E000-memory.dmp	netwire
behavioral2/memory/3692-146-0x000000000040242D-mapping.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

Host.exeHost.exeHost.exe

pid process

3872 Host.exe
2128 Host.exe
3692 Host.exe

pid	process
3872	Host.exe
2128	Host.exe
3692	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

P-Order.scr.exeHost.exe

description	pid	process	target process
PID 3912 set thread context of 2336	3912	P-Order.scr.exe	P-Order.scr.exe
PID 3872 set thread context of 3692	3872	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

700 schtasks.exe
2088 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

P-Order.scr.exeHost.exe

pid process

3912 P-Order.scr.exe
3912 P-Order.scr.exe
3872 Host.exe
3872 Host.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

P-Order.scr.exeHost.exe

description pid process

Token: SeDebugPrivilege 3912 P-Order.scr.exe
Token: SeDebugPrivilege 3872 Host.exe

pid	process
700	schtasks.exe
2088	schtasks.exe

pid	process
3912	P-Order.scr.exe
3912	P-Order.scr.exe
3872	Host.exe
3872	Host.exe

description	pid	process
Token: SeDebugPrivilege	3912	P-Order.scr.exe
Token: SeDebugPrivilege	3872	Host.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

P-Order.scr.exeP-Order.scr.exeHost.exe

description	pid	process	target process
PID 3912 wrote to memory of 700	3912	P-Order.scr.exe	schtasks.exe
PID 3912 wrote to memory of 700	3912	P-Order.scr.exe	schtasks.exe
PID 3912 wrote to memory of 700	3912	P-Order.scr.exe	schtasks.exe
PID 3912 wrote to memory of 2084	3912	P-Order.scr.exe	P-Order.scr.exe
PID 3912 wrote to memory of 2084	3912	P-Order.scr.exe	P-Order.scr.exe
PID 3912 wrote to memory of 2084	3912	P-Order.scr.exe	P-Order.scr.exe
PID 3912 wrote to memory of 2336	3912	P-Order.scr.exe	P-Order.scr.exe
PID 3912 wrote to memory of 2336	3912	P-Order.scr.exe	P-Order.scr.exe
PID 3912 wrote to memory of 2336	3912	P-Order.scr.exe	P-Order.scr.exe
PID 3912 wrote to memory of 2336	3912	P-Order.scr.exe	P-Order.scr.exe
PID 3912 wrote to memory of 2336	3912	P-Order.scr.exe	P-Order.scr.exe
PID 3912 wrote to memory of 2336	3912	P-Order.scr.exe	P-Order.scr.exe
PID 3912 wrote to memory of 2336	3912	P-Order.scr.exe	P-Order.scr.exe
PID 3912 wrote to memory of 2336	3912	P-Order.scr.exe	P-Order.scr.exe
PID 3912 wrote to memory of 2336	3912	P-Order.scr.exe	P-Order.scr.exe
PID 3912 wrote to memory of 2336	3912	P-Order.scr.exe	P-Order.scr.exe
PID 3912 wrote to memory of 2336	3912	P-Order.scr.exe	P-Order.scr.exe
PID 2336 wrote to memory of 3872	2336	P-Order.scr.exe	Host.exe
PID 2336 wrote to memory of 3872	2336	P-Order.scr.exe	Host.exe
PID 2336 wrote to memory of 3872	2336	P-Order.scr.exe	Host.exe
PID 3872 wrote to memory of 2088	3872	Host.exe	schtasks.exe
PID 3872 wrote to memory of 2088	3872	Host.exe	schtasks.exe
PID 3872 wrote to memory of 2088	3872	Host.exe	schtasks.exe
PID 3872 wrote to memory of 2128	3872	Host.exe	Host.exe
PID 3872 wrote to memory of 2128	3872	Host.exe	Host.exe
PID 3872 wrote to memory of 2128	3872	Host.exe	Host.exe
PID 3872 wrote to memory of 3692	3872	Host.exe	Host.exe
PID 3872 wrote to memory of 3692	3872	Host.exe	Host.exe
PID 3872 wrote to memory of 3692	3872	Host.exe	Host.exe
PID 3872 wrote to memory of 3692	3872	Host.exe	Host.exe
PID 3872 wrote to memory of 3692	3872	Host.exe	Host.exe
PID 3872 wrote to memory of 3692	3872	Host.exe	Host.exe
PID 3872 wrote to memory of 3692	3872	Host.exe	Host.exe
PID 3872 wrote to memory of 3692	3872	Host.exe	Host.exe
PID 3872 wrote to memory of 3692	3872	Host.exe	Host.exe
PID 3872 wrote to memory of 3692	3872	Host.exe	Host.exe
PID 3872 wrote to memory of 3692	3872	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\P-Order.scr.exe
"C:\Users\Admin\AppData\Local\Temp\P-Order.scr.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEjeDK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8E2C.tmp"
2⤵
- Creates scheduled task(s)
PID:700

C:\Users\Admin\AppData\Local\Temp\P-Order.scr.exe
"{path}"
2⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\P-Order.scr.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEjeDK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFFE.tmp"
4⤵
- Creates scheduled task(s)
PID:2088

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"{path}"
4⤵
- Executes dropped EXE
PID:2128

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"{path}"
4⤵
- Executes dropped EXE
PID:3692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8E2C.tmp
MD5
1ee92d3bced26244413f20b82dcabff5

SHA1
0cadeda6a8d186b60066e0d25052a64d16bd33f6

SHA256
ad45ea8d5690c92ff6146fca95a01cf85b4df87338925d97753433249cb8a0bb

SHA512
eb802cf263ee3bfb0e9ed84981ca62ed4a32141d7cf5f67cdbe60a74472d955c524b6b8c383593ff2baf255a553c9cd9546a2d4ffa889d85239b33f794cfd81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFFE.tmp
MD5
1ee92d3bced26244413f20b82dcabff5

SHA1
0cadeda6a8d186b60066e0d25052a64d16bd33f6

SHA256
ad45ea8d5690c92ff6146fca95a01cf85b4df87338925d97753433249cb8a0bb

SHA512
eb802cf263ee3bfb0e9ed84981ca62ed4a32141d7cf5f67cdbe60a74472d955c524b6b8c383593ff2baf255a553c9cd9546a2d4ffa889d85239b33f794cfd81e

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
MD5
6cf82e76161361d385c53652fdba1992

SHA1
642276d01e7d4c7fc2fa8202025173b8abb3c221

SHA256
57d5c01633ef2f845946bf397ef571ba5c0e0afaafce8756d7811d7569f4b024

SHA512
939b26dc20dde77729f9d1ecfb9495b6bcce5a7514a44e87b2bee3dd427b967e568162b2c18e6850bbb92616452739b247e102b74f8c40bda8cad1fcc8277331

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
MD5
6cf82e76161361d385c53652fdba1992

SHA1
642276d01e7d4c7fc2fa8202025173b8abb3c221

SHA256
57d5c01633ef2f845946bf397ef571ba5c0e0afaafce8756d7811d7569f4b024

SHA512
939b26dc20dde77729f9d1ecfb9495b6bcce5a7514a44e87b2bee3dd427b967e568162b2c18e6850bbb92616452739b247e102b74f8c40bda8cad1fcc8277331

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
MD5
6cf82e76161361d385c53652fdba1992

SHA1
642276d01e7d4c7fc2fa8202025173b8abb3c221

SHA256
57d5c01633ef2f845946bf397ef571ba5c0e0afaafce8756d7811d7569f4b024

SHA512
939b26dc20dde77729f9d1ecfb9495b6bcce5a7514a44e87b2bee3dd427b967e568162b2c18e6850bbb92616452739b247e102b74f8c40bda8cad1fcc8277331

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
MD5
6cf82e76161361d385c53652fdba1992

SHA1
642276d01e7d4c7fc2fa8202025173b8abb3c221

SHA256
57d5c01633ef2f845946bf397ef571ba5c0e0afaafce8756d7811d7569f4b024

SHA512
939b26dc20dde77729f9d1ecfb9495b6bcce5a7514a44e87b2bee3dd427b967e568162b2c18e6850bbb92616452739b247e102b74f8c40bda8cad1fcc8277331

Download Submit
memory/700-124-0x0000000000000000-mapping.dmp

Download
memory/2088-142-0x0000000000000000-mapping.dmp

Download
memory/2336-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-127-0x000000000040242D-mapping.dmp

Download
memory/3692-146-0x000000000040242D-mapping.dmp

Download
memory/3872-139-0x0000000007D30000-0x000000000822E000-memory.dmp

Filesize
5.0MB

Download
memory/3872-128-0x0000000000000000-mapping.dmp

Download
memory/3912-114-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/3912-123-0x0000000005FF0000-0x0000000006033000-memory.dmp

Filesize
268KB

Download
memory/3912-119-0x0000000007270000-0x000000000776E000-memory.dmp

Filesize
5.0MB

Download
memory/3912-117-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/3912-122-0x000000000AB60000-0x000000000ABF0000-memory.dmp

Filesize
576KB

Download
memory/3912-116-0x0000000007770000-0x0000000007771000-memory.dmp

Filesize
4KB

Download
memory/3912-121-0x0000000008D90000-0x0000000008D92000-memory.dmp

Filesize
8KB

Download
memory/3912-118-0x0000000007300000-0x0000000007301000-memory.dmp

Filesize
4KB

Download
memory/3912-120-0x0000000008E50000-0x0000000008E51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads