netwire | b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082

General

Target

b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe
Size

256KB
MD5

3982c9643ff47aa981a446f679e332f8
SHA1

c9baff1bac6e99aa18a56532ed851c896cb5d5c9
SHA256

b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082
SHA512

c226600764a1f3e1fb57e96e1df966cb232f29b23aefabb7f189b6952f7e5a6c8b6a5442b29b4ff72d2b87c06a53c2ca7766e5f609d7450ac85e8211a7a6cf7f

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

chrisle79.ddns.net:4414

jacknop79.ddns.net:4414

smath79.ddns.net:4414

whatis79.ddns.net:4414

goodgt79.ddns.net:4414

bonding79.ddns.net:4414

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
June 2021
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
Password2$
registry_autorun
false
startup_name
use_mutex
false

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\kAt04XL5n9TRa34v\\ED3F82GwGGS7.exe\",explorer.exe"	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1040-115-0x0000000000400000-0x0000000000436000-memory.dmp	netwire
behavioral2/memory/1040-116-0x0000000000402453-mapping.dmp	netwire
behavioral2/memory/1040-120-0x0000000000400000-0x0000000000436000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Suspicious use of SetThreadContext 1 IoCs

Processes:

b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe

description	pid	process	target process
PID 3872 set thread context of 1040	3872	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3704 1040 WerFault.exe b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe

pid	pid_target	process	target process
3704	1040	WerFault.exe	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exeWerFault.exe

pid	process
3872	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe
3872	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe
3704	WerFault.exe
3704	WerFault.exe
3704	WerFault.exe
3704	WerFault.exe
3704	WerFault.exe
3704	WerFault.exe
3704	WerFault.exe
3704	WerFault.exe
3704	WerFault.exe
3704	WerFault.exe
3704	WerFault.exe
3704	WerFault.exe
3704	WerFault.exe
3704	WerFault.exe
3704	WerFault.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3872	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe
Token: SeDebugPrivilege	3872	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe
Token: SeRestorePrivilege	3704	WerFault.exe
Token: SeBackupPrivilege	3704	WerFault.exe
Token: SeDebugPrivilege	3704	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe

description	pid	process	target process
PID 3872 wrote to memory of 1040	3872	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe
PID 3872 wrote to memory of 1040	3872	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe
PID 3872 wrote to memory of 1040	3872	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe
PID 3872 wrote to memory of 1040	3872	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe
PID 3872 wrote to memory of 1040	3872	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe
PID 3872 wrote to memory of 1040	3872	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe
PID 3872 wrote to memory of 1040	3872	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe
PID 3872 wrote to memory of 1040	3872	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe
PID 3872 wrote to memory of 1040	3872	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe
PID 3872 wrote to memory of 1040	3872	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe
PID 3872 wrote to memory of 1040	3872	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe	b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe

C:\Users\Admin\AppData\Local\Temp\b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe
"C:\Users\Admin\AppData\Local\Temp\b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872

C:\Users\Admin\AppData\Local\Temp\b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe
"C:\Users\Admin\AppData\Local\Temp\b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe"
2⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 484
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3704

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1040-115-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1040-116-0x0000000000402453-mapping.dmp

Download
memory/1040-117-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1040-120-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3872-114-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads