netwire | ff32e93cbeacbeda2437159fc90e1c0a4b6b1d7fa160a931fe80801ba6e3311d

General

Target

PO-13918.jpeg.exe
Size

814KB
MD5

39354b7b1d0dda28b95785b967621c07
SHA1

e0e21df731ac7e2bcaa1fa1ca0a3f12936a111a4
SHA256

ff32e93cbeacbeda2437159fc90e1c0a4b6b1d7fa160a931fe80801ba6e3311d
SHA512

ba6eb8b059b0ac8b420facc74c41ac0cd46e790f943c83c37902399e500239937d4424ed4e49226c2dfcd47e37ecee07f24894c67e1b0b5e43848a75f6a59619

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

netwire.linkpc.net:6000

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
NETWIRE 2021
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
RRMkVNlN
offline_keylogger
true
password
chizzy25@
registry_autorun
false
startup_name
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/740-127-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/740-128-0x000000000040242D-mapping.dmp	netwire
behavioral2/memory/740-129-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO-13918.jpeg.exe

description pid process target process

PID 652 set thread context of 740 652 PO-13918.jpeg.exe PO-13918.jpeg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1420 schtasks.exe

description	pid	process	target process
PID 652 set thread context of 740	652	PO-13918.jpeg.exe	PO-13918.jpeg.exe

pid	process
1420	schtasks.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

PO-13918.jpeg.exe

description	pid	process	target process
PID 652 wrote to memory of 1420	652	PO-13918.jpeg.exe	schtasks.exe
PID 652 wrote to memory of 1420	652	PO-13918.jpeg.exe	schtasks.exe
PID 652 wrote to memory of 1420	652	PO-13918.jpeg.exe	schtasks.exe
PID 652 wrote to memory of 740	652	PO-13918.jpeg.exe	PO-13918.jpeg.exe
PID 652 wrote to memory of 740	652	PO-13918.jpeg.exe	PO-13918.jpeg.exe
PID 652 wrote to memory of 740	652	PO-13918.jpeg.exe	PO-13918.jpeg.exe
PID 652 wrote to memory of 740	652	PO-13918.jpeg.exe	PO-13918.jpeg.exe
PID 652 wrote to memory of 740	652	PO-13918.jpeg.exe	PO-13918.jpeg.exe
PID 652 wrote to memory of 740	652	PO-13918.jpeg.exe	PO-13918.jpeg.exe
PID 652 wrote to memory of 740	652	PO-13918.jpeg.exe	PO-13918.jpeg.exe
PID 652 wrote to memory of 740	652	PO-13918.jpeg.exe	PO-13918.jpeg.exe
PID 652 wrote to memory of 740	652	PO-13918.jpeg.exe	PO-13918.jpeg.exe
PID 652 wrote to memory of 740	652	PO-13918.jpeg.exe	PO-13918.jpeg.exe
PID 652 wrote to memory of 740	652	PO-13918.jpeg.exe	PO-13918.jpeg.exe

C:\Users\Admin\AppData\Local\Temp\PO-13918.jpeg.exe
"C:\Users\Admin\AppData\Local\Temp\PO-13918.jpeg.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nPcEeWJgmfPi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp641A.tmp"
2⤵
- Creates scheduled task(s)
PID:1420

C:\Users\Admin\AppData\Local\Temp\PO-13918.jpeg.exe
"C:\Users\Admin\AppData\Local\Temp\PO-13918.jpeg.exe"
2⤵
PID:740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp641A.tmp
MD5
2cf7410b0c140a62637df71a6616c604

SHA1
b32c2a4c6bc85a8e28bab57f9ea0027a5495fedf

SHA256
bfceee3a526220ece160303044d8713b28197dad97af00658e7021ddf1b69869

SHA512
e3b4b6fcdae2bd8334df4007b6aa7298319b7a726232d5b25069c76915c9c6728e95d92d21a6a449e894e14f97478f0dee21acd2de68593a7b2b72885c669520

Download Submit
memory/652-121-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/652-123-0x0000000005AD0000-0x0000000005B68000-memory.dmp

Filesize
608KB

Download
memory/652-118-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/652-119-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/652-120-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/652-114-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/652-122-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/652-117-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/652-124-0x00000000058F0000-0x0000000005944000-memory.dmp

Filesize
336KB

Download
memory/652-116-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/740-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-128-0x000000000040242D-mapping.dmp

Download
memory/740-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-125-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads