netwire | 82e96593173c1407d138cca5418a00b0f5cd9960b32d8f03052eca9b33e68b44

General

Target

AttachedWaybill.exe
Size

574KB
MD5

33f9d631a4adcd4c64fe639352c5f76b
SHA1

8828f41d318315eb05818fce4499bffa31657160
SHA256

82e96593173c1407d138cca5418a00b0f5cd9960b32d8f03052eca9b33e68b44
SHA512

58818cd5e1d55a4a610bb9836501a6d89fb04209b4275420bc96433af1484c0573bf1851b561779144642dd178152ca871841988864de099334ebe0372d83339

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

nbg.myvnc.com:6655

nbg1.myvnc.com:6655

myb25.camdvr.org:6655

nbg2.myvnc.com:6655

myb27.camdvr.org:6655

nerdmusic.freeddns.org:6655

SUNWAP1.ooguy.com:6655

mynw1.hopto.org:6655

myb24.camdvr.org:6655

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
COVID-19
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
1234
registry_autorun
false
startup_name
use_mutex
false

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1232-72-0x00000000001F0000-0x0000000000223000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AttachedWaybill.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rjwkhtt = "C:\\Users\\Public\\Libraries\\tthkwjR.url"	AttachedWaybill.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

AttachedWaybill.exe

description	pid	process	target process
PID 1776 wrote to memory of 1232	1776	AttachedWaybill.exe	mshta.exe
PID 1776 wrote to memory of 1232	1776	AttachedWaybill.exe	mshta.exe
PID 1776 wrote to memory of 1232	1776	AttachedWaybill.exe	mshta.exe
PID 1776 wrote to memory of 1232	1776	AttachedWaybill.exe	mshta.exe
PID 1776 wrote to memory of 1232	1776	AttachedWaybill.exe	mshta.exe
PID 1776 wrote to memory of 1232	1776	AttachedWaybill.exe	mshta.exe
PID 1776 wrote to memory of 1232	1776	AttachedWaybill.exe	mshta.exe
PID 1776 wrote to memory of 1232	1776	AttachedWaybill.exe	mshta.exe
PID 1776 wrote to memory of 1232	1776	AttachedWaybill.exe	mshta.exe
PID 1776 wrote to memory of 1232	1776	AttachedWaybill.exe	mshta.exe
PID 1776 wrote to memory of 1232	1776	AttachedWaybill.exe	mshta.exe
PID 1776 wrote to memory of 1232	1776	AttachedWaybill.exe	mshta.exe
PID 1776 wrote to memory of 1232	1776	AttachedWaybill.exe	mshta.exe
PID 1776 wrote to memory of 1232	1776	AttachedWaybill.exe	mshta.exe
PID 1776 wrote to memory of 1232	1776	AttachedWaybill.exe	mshta.exe
PID 1776 wrote to memory of 1232	1776	AttachedWaybill.exe	mshta.exe

C:\Users\Admin\AppData\Local\Temp\AttachedWaybill.exe
"C:\Users\Admin\AppData\Local\Temp\AttachedWaybill.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\mshta.exe
C:\Windows\System32\mshta.exe
2⤵
PID:1232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1232-66-0x0000000000000000-mapping.dmp

Download
memory/1232-69-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1232-68-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1232-71-0x0000000010550000-0x0000000010585000-memory.dmp

Filesize
212KB

Download
memory/1232-70-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1232-72-0x00000000001F0000-0x0000000000223000-memory.dmp

Filesize
204KB

Download
memory/1776-61-0x00000000003D0000-0x00000000003EA000-memory.dmp

Filesize
104KB

Download
memory/1776-64-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1776-65-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads