netwire | f1079cf4bfcc93d98a75ee56bac5fc02f9e8bbb2bf255f7c3d0b25504c539e40

General

Target

Order.exe
Size

853KB
MD5

103362e59d9fd456e9ce47da23e14e4f
SHA1

5f557d79f1085f1e05da881204d341f2c82b20b9
SHA256

f1079cf4bfcc93d98a75ee56bac5fc02f9e8bbb2bf255f7c3d0b25504c539e40
SHA512

b20e271dfebd76f3353374026eb5b9633f75c3fe359d7c2e17af40b8470b91ff059b757148c11f0287e3d833db3523695035c3313230d8e6662456f928eead6e

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

37.120.234.120:19792

Attributes

activex_autorun
false
activex_key
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
FvEKqKqS
offline_keylogger
true
password
Password
registry_autorun
false
startup_name
use_mutex
true

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1656-68-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/1656-67-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1656-77-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2040-84-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/2040-87-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1912 Host.exe
2040 Host.exe
Loads dropped DLL 1 IoCs

Processes:

Order.exe

pid process

1656 Order.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

Order.exeHost.exe

description pid process target process

PID 1728 set thread context of 1656 1728 Order.exe Order.exe
PID 1912 set thread context of 2040 1912 Host.exe Host.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1048 schtasks.exe
540 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Order.exeHost.exe

pid process

1728 Order.exe
1728 Order.exe
1728 Order.exe
1912 Host.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Order.exeHost.exe

description pid process

Token: SeDebugPrivilege 1728 Order.exe
Token: SeDebugPrivilege 1912 Host.exe

pid	process
1912	Host.exe
2040	Host.exe

pid	process
1656	Order.exe

description	pid	process	target process
PID 1728 set thread context of 1656	1728	Order.exe	Order.exe
PID 1912 set thread context of 2040	1912	Host.exe	Host.exe

pid	process
1048	schtasks.exe
540	schtasks.exe

pid	process
1728	Order.exe
1728	Order.exe
1728	Order.exe
1912	Host.exe

description	pid	process
Token: SeDebugPrivilege	1728	Order.exe
Token: SeDebugPrivilege	1912	Host.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

Order.exeOrder.exeHost.exe

description	pid	process	target process
PID 1728 wrote to memory of 1048	1728	Order.exe	schtasks.exe
PID 1728 wrote to memory of 1048	1728	Order.exe	schtasks.exe
PID 1728 wrote to memory of 1048	1728	Order.exe	schtasks.exe
PID 1728 wrote to memory of 1048	1728	Order.exe	schtasks.exe
PID 1728 wrote to memory of 512	1728	Order.exe	Order.exe
PID 1728 wrote to memory of 512	1728	Order.exe	Order.exe
PID 1728 wrote to memory of 512	1728	Order.exe	Order.exe
PID 1728 wrote to memory of 512	1728	Order.exe	Order.exe
PID 1728 wrote to memory of 1656	1728	Order.exe	Order.exe
PID 1728 wrote to memory of 1656	1728	Order.exe	Order.exe
PID 1728 wrote to memory of 1656	1728	Order.exe	Order.exe
PID 1728 wrote to memory of 1656	1728	Order.exe	Order.exe
PID 1728 wrote to memory of 1656	1728	Order.exe	Order.exe
PID 1728 wrote to memory of 1656	1728	Order.exe	Order.exe
PID 1728 wrote to memory of 1656	1728	Order.exe	Order.exe
PID 1728 wrote to memory of 1656	1728	Order.exe	Order.exe
PID 1728 wrote to memory of 1656	1728	Order.exe	Order.exe
PID 1728 wrote to memory of 1656	1728	Order.exe	Order.exe
PID 1728 wrote to memory of 1656	1728	Order.exe	Order.exe
PID 1728 wrote to memory of 1656	1728	Order.exe	Order.exe
PID 1656 wrote to memory of 1912	1656	Order.exe	Host.exe
PID 1656 wrote to memory of 1912	1656	Order.exe	Host.exe
PID 1656 wrote to memory of 1912	1656	Order.exe	Host.exe
PID 1656 wrote to memory of 1912	1656	Order.exe	Host.exe
PID 1912 wrote to memory of 540	1912	Host.exe	schtasks.exe
PID 1912 wrote to memory of 540	1912	Host.exe	schtasks.exe
PID 1912 wrote to memory of 540	1912	Host.exe	schtasks.exe
PID 1912 wrote to memory of 540	1912	Host.exe	schtasks.exe
PID 1912 wrote to memory of 2040	1912	Host.exe	Host.exe
PID 1912 wrote to memory of 2040	1912	Host.exe	Host.exe
PID 1912 wrote to memory of 2040	1912	Host.exe	Host.exe
PID 1912 wrote to memory of 2040	1912	Host.exe	Host.exe
PID 1912 wrote to memory of 2040	1912	Host.exe	Host.exe
PID 1912 wrote to memory of 2040	1912	Host.exe	Host.exe
PID 1912 wrote to memory of 2040	1912	Host.exe	Host.exe
PID 1912 wrote to memory of 2040	1912	Host.exe	Host.exe
PID 1912 wrote to memory of 2040	1912	Host.exe	Host.exe
PID 1912 wrote to memory of 2040	1912	Host.exe	Host.exe
PID 1912 wrote to memory of 2040	1912	Host.exe	Host.exe
PID 1912 wrote to memory of 2040	1912	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\Order.exe
"C:\Users\Admin\AppData\Local\Temp\Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vabtzuyh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F2E.tmp"
2⤵
- Creates scheduled task(s)
PID:1048

C:\Users\Admin\AppData\Local\Temp\Order.exe
"{path}"
2⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\Order.exe
"{path}"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vabtzuyh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3C16.tmp"
4⤵
- Creates scheduled task(s)
PID:540

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"{path}"
4⤵
- Executes dropped EXE
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3C16.tmp
MD5
756d231844c087f87e2146dfc6acea27

SHA1
8ab29ebcedfce697dbf6bd592df013e08fef7e06

SHA256
4114b906de8a9838975ede7031daff6c4a9d10e47ce8ef4ef55e2a457acb365c

SHA512
fa5318db1803d5c7cce2c1503f429a294cd3e289ade4f59cdbae9feae738ff630417ad59e07966d7c622dc7bcef71e6d357445f1e9a76640b8175cd3bd80e056

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7F2E.tmp
MD5
756d231844c087f87e2146dfc6acea27

SHA1
8ab29ebcedfce697dbf6bd592df013e08fef7e06

SHA256
4114b906de8a9838975ede7031daff6c4a9d10e47ce8ef4ef55e2a457acb365c

SHA512
fa5318db1803d5c7cce2c1503f429a294cd3e289ade4f59cdbae9feae738ff630417ad59e07966d7c622dc7bcef71e6d357445f1e9a76640b8175cd3bd80e056

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
MD5
103362e59d9fd456e9ce47da23e14e4f

SHA1
5f557d79f1085f1e05da881204d341f2c82b20b9

SHA256
f1079cf4bfcc93d98a75ee56bac5fc02f9e8bbb2bf255f7c3d0b25504c539e40

SHA512
b20e271dfebd76f3353374026eb5b9633f75c3fe359d7c2e17af40b8470b91ff059b757148c11f0287e3d833db3523695035c3313230d8e6662456f928eead6e

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
MD5
103362e59d9fd456e9ce47da23e14e4f

SHA1
5f557d79f1085f1e05da881204d341f2c82b20b9

SHA256
f1079cf4bfcc93d98a75ee56bac5fc02f9e8bbb2bf255f7c3d0b25504c539e40

SHA512
b20e271dfebd76f3353374026eb5b9633f75c3fe359d7c2e17af40b8470b91ff059b757148c11f0287e3d833db3523695035c3313230d8e6662456f928eead6e

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
MD5
103362e59d9fd456e9ce47da23e14e4f

SHA1
5f557d79f1085f1e05da881204d341f2c82b20b9

SHA256
f1079cf4bfcc93d98a75ee56bac5fc02f9e8bbb2bf255f7c3d0b25504c539e40

SHA512
b20e271dfebd76f3353374026eb5b9633f75c3fe359d7c2e17af40b8470b91ff059b757148c11f0287e3d833db3523695035c3313230d8e6662456f928eead6e

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
MD5
103362e59d9fd456e9ce47da23e14e4f

SHA1
5f557d79f1085f1e05da881204d341f2c82b20b9

SHA256
f1079cf4bfcc93d98a75ee56bac5fc02f9e8bbb2bf255f7c3d0b25504c539e40

SHA512
b20e271dfebd76f3353374026eb5b9633f75c3fe359d7c2e17af40b8470b91ff059b757148c11f0287e3d833db3523695035c3313230d8e6662456f928eead6e

Download Submit
memory/540-81-0x0000000000000000-mapping.dmp

Download
memory/1048-65-0x0000000000000000-mapping.dmp

Download
memory/1656-69-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/1656-68-0x000000000040242D-mapping.dmp

Download
memory/1656-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-63-0x0000000005210000-0x00000000052C7000-memory.dmp

Filesize
732KB

Download
memory/1728-59-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1728-64-0x0000000004E80000-0x0000000004EEB000-memory.dmp

Filesize
428KB

Download
memory/1728-61-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1728-62-0x0000000000440000-0x0000000000442000-memory.dmp

Filesize
8KB

Download
memory/1912-71-0x0000000000000000-mapping.dmp

Download
memory/1912-78-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/1912-74-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/2040-84-0x000000000040242D-mapping.dmp

Download
memory/2040-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads