netwire | 8564faf328ce5c253f4b6b3462402634e64ce8caefeb18428c2dcb4d454ee996

General

Target

3loyaSLADo1ZNLp.exe
Size

1.1MB
MD5

6446daba47a6a46d3f10a1c3504223d0
SHA1

e97d50eb97e3f4d70680d43c2d18c418e207e4fe
SHA256

8564faf328ce5c253f4b6b3462402634e64ce8caefeb18428c2dcb4d454ee996
SHA512

1a33ca90af589f6b8ec0d41836a96c5d1d712fd01818d44c096db9839e7f8e873fed5d191b36911de29f1243bc260c1301328f97d7f3a5f8312ad04853db792d

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

dxyasser0.zapto.org:1212

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
123
registry_autorun
false
startup_name
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2884-137-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2884-138-0x000000000040242D-mapping.dmp	netwire
behavioral2/memory/2884-147-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Suspicious use of SetThreadContext 1 IoCs

Processes:

3loyaSLADo1ZNLp.exe

description pid process target process

PID 3716 set thread context of 2884 3716 3loyaSLADo1ZNLp.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3840 schtasks.exe

description	pid	process	target process
PID 3716 set thread context of 2884	3716	3loyaSLADo1ZNLp.exe	RegSvcs.exe

pid	process
3840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
2444	powershell.exe
1328	powershell.exe
3724	powershell.exe
1328	powershell.exe
3724	powershell.exe
2444	powershell.exe
3724	powershell.exe
1328	powershell.exe
2444	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1328 powershell.exe
Token: SeDebugPrivilege 3724 powershell.exe
Token: SeDebugPrivilege 2444 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

3loyaSLADo1ZNLp.exe

description	pid	process	target process
PID 3716 wrote to memory of 1328	3716	3loyaSLADo1ZNLp.exe	powershell.exe
PID 3716 wrote to memory of 1328	3716	3loyaSLADo1ZNLp.exe	powershell.exe
PID 3716 wrote to memory of 1328	3716	3loyaSLADo1ZNLp.exe	powershell.exe
PID 3716 wrote to memory of 3724	3716	3loyaSLADo1ZNLp.exe	powershell.exe
PID 3716 wrote to memory of 3724	3716	3loyaSLADo1ZNLp.exe	powershell.exe
PID 3716 wrote to memory of 3724	3716	3loyaSLADo1ZNLp.exe	powershell.exe
PID 3716 wrote to memory of 3840	3716	3loyaSLADo1ZNLp.exe	schtasks.exe
PID 3716 wrote to memory of 3840	3716	3loyaSLADo1ZNLp.exe	schtasks.exe
PID 3716 wrote to memory of 3840	3716	3loyaSLADo1ZNLp.exe	schtasks.exe
PID 3716 wrote to memory of 2444	3716	3loyaSLADo1ZNLp.exe	powershell.exe
PID 3716 wrote to memory of 2444	3716	3loyaSLADo1ZNLp.exe	powershell.exe
PID 3716 wrote to memory of 2444	3716	3loyaSLADo1ZNLp.exe	powershell.exe
PID 3716 wrote to memory of 2884	3716	3loyaSLADo1ZNLp.exe	RegSvcs.exe
PID 3716 wrote to memory of 2884	3716	3loyaSLADo1ZNLp.exe	RegSvcs.exe
PID 3716 wrote to memory of 2884	3716	3loyaSLADo1ZNLp.exe	RegSvcs.exe
PID 3716 wrote to memory of 2884	3716	3loyaSLADo1ZNLp.exe	RegSvcs.exe
PID 3716 wrote to memory of 2884	3716	3loyaSLADo1ZNLp.exe	RegSvcs.exe
PID 3716 wrote to memory of 2884	3716	3loyaSLADo1ZNLp.exe	RegSvcs.exe
PID 3716 wrote to memory of 2884	3716	3loyaSLADo1ZNLp.exe	RegSvcs.exe
PID 3716 wrote to memory of 2884	3716	3loyaSLADo1ZNLp.exe	RegSvcs.exe
PID 3716 wrote to memory of 2884	3716	3loyaSLADo1ZNLp.exe	RegSvcs.exe
PID 3716 wrote to memory of 2884	3716	3loyaSLADo1ZNLp.exe	RegSvcs.exe
PID 3716 wrote to memory of 2884	3716	3loyaSLADo1ZNLp.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\3loyaSLADo1ZNLp.exe
"C:\Users\Admin\AppData\Local\Temp\3loyaSLADo1ZNLp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3loyaSLADo1ZNLp.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CShpLsZqsIKINW.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CShpLsZqsIKINW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2674.tmp"
2⤵
- Creates scheduled task(s)
PID:3840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CShpLsZqsIKINW.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
34cbce7a86066983ddec1c5c7316fa24

SHA1
a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9

SHA256
23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42

SHA512
f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
34cbce7a86066983ddec1c5c7316fa24

SHA1
a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9

SHA256
23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42

SHA512
f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0c2e4020054c5f589315446f4f05daa9

SHA1
556e3f29760280582cdd20bb6ee79aa2a7b23d4b

SHA256
ae34b0a9520429b5bb88dc2b2aae87147e8e40e9a1ed567887537cbacc83e2e8

SHA512
4a7dc444a37179eb042d5ab999e4e916b3b466a51f4e1f8ac93451a2784d9b8b8709e0c24f140b4e65ebf61c01e45f85ebde3f9ea6b4e743cd1a08016db956c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0c2e4020054c5f589315446f4f05daa9

SHA1
556e3f29760280582cdd20bb6ee79aa2a7b23d4b

SHA256
ae34b0a9520429b5bb88dc2b2aae87147e8e40e9a1ed567887537cbacc83e2e8

SHA512
4a7dc444a37179eb042d5ab999e4e916b3b466a51f4e1f8ac93451a2784d9b8b8709e0c24f140b4e65ebf61c01e45f85ebde3f9ea6b4e743cd1a08016db956c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2674.tmp
MD5
560b26b575dfd1977420d4d906d7b9bf

SHA1
87ebb0ecaae449a4a61375b9b17bbd6a9817eb7e

SHA256
bdae4734b43349b52938dcad85f6d319e2ffc73bc29cc4348b161525174133c4

SHA512
95a92a6dff1cbbe4d19eaf441fe55d075972b70d1aa7fca9e341227b941d3c89d5b166db7eef4f443b3b6ce6b2d62c03b054bbdff12bac292eaae0569a5b1b7a

Download Submit
memory/1328-192-0x0000000008A40000-0x0000000008A73000-memory.dmp

Filesize
204KB

Download
memory/1328-143-0x0000000006900000-0x0000000006901000-memory.dmp

Filesize
4KB

Download
memory/1328-257-0x0000000006903000-0x0000000006904000-memory.dmp

Filesize
4KB

Download
memory/1328-225-0x000000007EFF0000-0x000000007EFF1000-memory.dmp

Filesize
4KB

Download
memory/1328-124-0x0000000000000000-mapping.dmp

Download
memory/1328-213-0x0000000006810000-0x0000000006811000-memory.dmp

Filesize
4KB

Download
memory/1328-128-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/1328-144-0x0000000006902000-0x0000000006903000-memory.dmp

Filesize
4KB

Download
memory/1328-133-0x0000000006F40000-0x0000000006F41000-memory.dmp

Filesize
4KB

Download
memory/2444-148-0x0000000007190000-0x0000000007191000-memory.dmp

Filesize
4KB

Download
memory/2444-156-0x0000000007FC0000-0x0000000007FC1000-memory.dmp

Filesize
4KB

Download
memory/2444-254-0x0000000007193000-0x0000000007194000-memory.dmp

Filesize
4KB

Download
memory/2444-136-0x0000000000000000-mapping.dmp

Download
memory/2444-228-0x000000007F1D0000-0x000000007F1D1000-memory.dmp

Filesize
4KB

Download
memory/2444-163-0x00000000080B0000-0x00000000080B1000-memory.dmp

Filesize
4KB

Download
memory/2444-149-0x0000000007192000-0x0000000007193000-memory.dmp

Filesize
4KB

Download
memory/2444-159-0x00000000080E0000-0x00000000080E1000-memory.dmp

Filesize
4KB

Download
memory/2444-150-0x0000000007F20000-0x0000000007F21000-memory.dmp

Filesize
4KB

Download
memory/2884-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-138-0x000000000040242D-mapping.dmp

Download
memory/2884-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-123-0x00000000057A0000-0x00000000057DD000-memory.dmp

Filesize
244KB

Download
memory/3716-120-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/3716-121-0x0000000004A90000-0x0000000004A9F000-memory.dmp

Filesize
60KB

Download
memory/3716-116-0x0000000007990000-0x0000000007991000-memory.dmp

Filesize
4KB

Download
memory/3716-117-0x0000000007570000-0x0000000007571000-memory.dmp

Filesize
4KB

Download
memory/3716-118-0x0000000007610000-0x0000000007611000-memory.dmp

Filesize
4KB

Download
memory/3716-119-0x0000000007490000-0x000000000798E000-memory.dmp

Filesize
5.0MB

Download
memory/3716-114-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3716-122-0x0000000001060000-0x00000000010D2000-memory.dmp

Filesize
456KB

Download
memory/3724-165-0x0000000008060000-0x0000000008061000-memory.dmp

Filesize
4KB

Download
memory/3724-231-0x000000007EC30000-0x000000007EC31000-memory.dmp

Filesize
4KB

Download
memory/3724-250-0x0000000004AF3000-0x0000000004AF4000-memory.dmp

Filesize
4KB

Download
memory/3724-145-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/3724-127-0x0000000000000000-mapping.dmp

Download
memory/3724-168-0x0000000008370000-0x0000000008371000-memory.dmp

Filesize
4KB

Download
memory/3724-153-0x0000000007AB0000-0x0000000007AB1000-memory.dmp

Filesize
4KB

Download
memory/3724-162-0x0000000007BB0000-0x0000000007BB1000-memory.dmp

Filesize
4KB

Download
memory/3724-146-0x0000000004AF2000-0x0000000004AF3000-memory.dmp

Filesize
4KB

Download
memory/3840-129-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads