netwire | f1079cf4bfcc93d98a75ee56bac5fc02f9e8bbb2bf255f7c3d0b25504c539e40

General

Target

Order.exe
Size

853KB
MD5

103362e59d9fd456e9ce47da23e14e4f
SHA1

5f557d79f1085f1e05da881204d341f2c82b20b9
SHA256

f1079cf4bfcc93d98a75ee56bac5fc02f9e8bbb2bf255f7c3d0b25504c539e40
SHA512

b20e271dfebd76f3353374026eb5b9633f75c3fe359d7c2e17af40b8470b91ff059b757148c11f0287e3d833db3523695035c3313230d8e6662456f928eead6e

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

37.120.234.120:19792

Attributes

activex_autorun
false
activex_key
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
FvEKqKqS
offline_keylogger
true
password
Password
registry_autorun
false
startup_name
use_mutex
true

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1540-126-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/1540-127-0x000000000040242D-mapping.dmp	netwire
behavioral2/memory/1540-128-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2276-139-0x00000000056F0000-0x0000000005BEE000-memory.dmp	netwire
behavioral2/memory/3880-145-0x000000000040242D-mapping.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

2276 Host.exe
3880 Host.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

Order.exeHost.exe

description pid process target process

PID 992 set thread context of 1540 992 Order.exe Order.exe
PID 2276 set thread context of 3880 2276 Host.exe Host.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1380 schtasks.exe
2304 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Order.exeHost.exe

pid process

992 Order.exe
2276 Host.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Order.exeHost.exe

description pid process

Token: SeDebugPrivilege 992 Order.exe
Token: SeDebugPrivilege 2276 Host.exe

pid	process
2276	Host.exe
3880	Host.exe

description	pid	process	target process
PID 992 set thread context of 1540	992	Order.exe	Order.exe
PID 2276 set thread context of 3880	2276	Host.exe	Host.exe

pid	process
1380	schtasks.exe
2304	schtasks.exe

pid	process
992	Order.exe
2276	Host.exe

description	pid	process
Token: SeDebugPrivilege	992	Order.exe
Token: SeDebugPrivilege	2276	Host.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

Order.exeOrder.exeHost.exe

description	pid	process	target process
PID 992 wrote to memory of 1380	992	Order.exe	schtasks.exe
PID 992 wrote to memory of 1380	992	Order.exe	schtasks.exe
PID 992 wrote to memory of 1380	992	Order.exe	schtasks.exe
PID 992 wrote to memory of 1540	992	Order.exe	Order.exe
PID 992 wrote to memory of 1540	992	Order.exe	Order.exe
PID 992 wrote to memory of 1540	992	Order.exe	Order.exe
PID 992 wrote to memory of 1540	992	Order.exe	Order.exe
PID 992 wrote to memory of 1540	992	Order.exe	Order.exe
PID 992 wrote to memory of 1540	992	Order.exe	Order.exe
PID 992 wrote to memory of 1540	992	Order.exe	Order.exe
PID 992 wrote to memory of 1540	992	Order.exe	Order.exe
PID 992 wrote to memory of 1540	992	Order.exe	Order.exe
PID 992 wrote to memory of 1540	992	Order.exe	Order.exe
PID 992 wrote to memory of 1540	992	Order.exe	Order.exe
PID 1540 wrote to memory of 2276	1540	Order.exe	Host.exe
PID 1540 wrote to memory of 2276	1540	Order.exe	Host.exe
PID 1540 wrote to memory of 2276	1540	Order.exe	Host.exe
PID 2276 wrote to memory of 2304	2276	Host.exe	schtasks.exe
PID 2276 wrote to memory of 2304	2276	Host.exe	schtasks.exe
PID 2276 wrote to memory of 2304	2276	Host.exe	schtasks.exe
PID 2276 wrote to memory of 3880	2276	Host.exe	Host.exe
PID 2276 wrote to memory of 3880	2276	Host.exe	Host.exe
PID 2276 wrote to memory of 3880	2276	Host.exe	Host.exe
PID 2276 wrote to memory of 3880	2276	Host.exe	Host.exe
PID 2276 wrote to memory of 3880	2276	Host.exe	Host.exe
PID 2276 wrote to memory of 3880	2276	Host.exe	Host.exe
PID 2276 wrote to memory of 3880	2276	Host.exe	Host.exe
PID 2276 wrote to memory of 3880	2276	Host.exe	Host.exe
PID 2276 wrote to memory of 3880	2276	Host.exe	Host.exe
PID 2276 wrote to memory of 3880	2276	Host.exe	Host.exe
PID 2276 wrote to memory of 3880	2276	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\Order.exe
"C:\Users\Admin\AppData\Local\Temp\Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vabtzuyh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp58CF.tmp"
2⤵
- Creates scheduled task(s)
PID:1380

C:\Users\Admin\AppData\Local\Temp\Order.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vabtzuyh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1A4A.tmp"
4⤵
- Creates scheduled task(s)
PID:2304

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"{path}"
4⤵
- Executes dropped EXE
PID:3880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1A4A.tmp
MD5
d56ec2d86d030b1848c5dc2c46582fe1

SHA1
4085bbe2596a8f6d93f5f0f724b06661c198d8a6

SHA256
216b2bf04f71da8d00ebb1e091be5bdcf35f1548f5f58eab432c677654499e0b

SHA512
5965e994fbe0622e5d7771e9b4b1aa1e19b4184b5047deed1d22b4f415c5f6052fd057012ffa111875f6a1707fbb391db9c98348652c9dac0c9d8916c4f79aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp58CF.tmp
MD5
d56ec2d86d030b1848c5dc2c46582fe1

SHA1
4085bbe2596a8f6d93f5f0f724b06661c198d8a6

SHA256
216b2bf04f71da8d00ebb1e091be5bdcf35f1548f5f58eab432c677654499e0b

SHA512
5965e994fbe0622e5d7771e9b4b1aa1e19b4184b5047deed1d22b4f415c5f6052fd057012ffa111875f6a1707fbb391db9c98348652c9dac0c9d8916c4f79aba

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
MD5
103362e59d9fd456e9ce47da23e14e4f

SHA1
5f557d79f1085f1e05da881204d341f2c82b20b9

SHA256
f1079cf4bfcc93d98a75ee56bac5fc02f9e8bbb2bf255f7c3d0b25504c539e40

SHA512
b20e271dfebd76f3353374026eb5b9633f75c3fe359d7c2e17af40b8470b91ff059b757148c11f0287e3d833db3523695035c3313230d8e6662456f928eead6e

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
MD5
103362e59d9fd456e9ce47da23e14e4f

SHA1
5f557d79f1085f1e05da881204d341f2c82b20b9

SHA256
f1079cf4bfcc93d98a75ee56bac5fc02f9e8bbb2bf255f7c3d0b25504c539e40

SHA512
b20e271dfebd76f3353374026eb5b9633f75c3fe359d7c2e17af40b8470b91ff059b757148c11f0287e3d833db3523695035c3313230d8e6662456f928eead6e

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
MD5
103362e59d9fd456e9ce47da23e14e4f

SHA1
5f557d79f1085f1e05da881204d341f2c82b20b9

SHA256
f1079cf4bfcc93d98a75ee56bac5fc02f9e8bbb2bf255f7c3d0b25504c539e40

SHA512
b20e271dfebd76f3353374026eb5b9633f75c3fe359d7c2e17af40b8470b91ff059b757148c11f0287e3d833db3523695035c3313230d8e6662456f928eead6e

Download Submit
memory/992-114-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/992-116-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/992-122-0x0000000006580000-0x0000000006637000-memory.dmp

Filesize
732KB

Download
memory/992-123-0x000000000A970000-0x000000000A9DB000-memory.dmp

Filesize
428KB

Download
memory/992-117-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/992-121-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/992-118-0x0000000004970000-0x0000000004E6E000-memory.dmp

Filesize
5.0MB

Download
memory/992-120-0x0000000004DD0000-0x0000000004DD2000-memory.dmp

Filesize
8KB

Download
memory/992-119-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1380-124-0x0000000000000000-mapping.dmp

Download
memory/1540-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-127-0x000000000040242D-mapping.dmp

Download
memory/1540-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-129-0x0000000000000000-mapping.dmp

Download
memory/2276-139-0x00000000056F0000-0x0000000005BEE000-memory.dmp

Filesize
5.0MB

Download
memory/2304-142-0x0000000000000000-mapping.dmp

Download
memory/3880-145-0x000000000040242D-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads