netwire | 4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d

General

Target

4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
Size

431KB
MD5

839a358056109761a9323444b0fd7984
SHA1

a82b91764532cbc42d96b98b096cefc0f4e21ede
SHA256

4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d
SHA512

5f6dd1ab2f5925e4fb15b810ea541d54e7a0748c2995b8b832b6f43c1acf4eacb673af65a149ee13fb54a86971f0034e60706f8dd894bf037e9937fe761fe386

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

harromex.com:4020

Attributes

activex_autorun
false
activex_key
copy_executable
true
delete_original
true
host_id
Grace
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
qofiTxIi
offline_keylogger
true
password
niconpay$
registry_autorun
true
startup_name
Netwire
use_mutex
true

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4452-137-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/4452-139-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/4452-143-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/1152-150-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/1152-151-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

Host.exeHost.exeHost.exe

pid process

3312 Host.exe
4268 Host.exe
1152 Host.exe

pid	process
3312	Host.exe
4268	Host.exe
1152	Host.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netwire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exeHost.exe

description	pid	process	target process
PID 3504 set thread context of 4452	3504	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
PID 3312 set thread context of 1152	3312	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exeHost.exe

pid	process
3504	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
3504	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
3504	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
3504	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
3504	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
3312	Host.exe
3312	Host.exe
3312	Host.exe
3312	Host.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exeHost.exe

description	pid	process
Token: SeDebugPrivilege	3504	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
Token: SeDebugPrivilege	3312	Host.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exeHost.exe

description	pid	process	target process
PID 3504 wrote to memory of 4860	3504	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
PID 3504 wrote to memory of 4860	3504	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
PID 3504 wrote to memory of 4860	3504	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
PID 3504 wrote to memory of 4452	3504	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
PID 3504 wrote to memory of 4452	3504	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
PID 3504 wrote to memory of 4452	3504	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
PID 3504 wrote to memory of 4452	3504	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
PID 3504 wrote to memory of 4452	3504	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
PID 3504 wrote to memory of 4452	3504	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
PID 3504 wrote to memory of 4452	3504	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
PID 3504 wrote to memory of 4452	3504	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
PID 3504 wrote to memory of 4452	3504	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
PID 3504 wrote to memory of 4452	3504	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
PID 3504 wrote to memory of 4452	3504	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
PID 4452 wrote to memory of 3312	4452	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe	Host.exe
PID 4452 wrote to memory of 3312	4452	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe	Host.exe
PID 4452 wrote to memory of 3312	4452	4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe	Host.exe
PID 3312 wrote to memory of 4268	3312	Host.exe	Host.exe
PID 3312 wrote to memory of 4268	3312	Host.exe	Host.exe
PID 3312 wrote to memory of 4268	3312	Host.exe	Host.exe
PID 3312 wrote to memory of 1152	3312	Host.exe	Host.exe
PID 3312 wrote to memory of 1152	3312	Host.exe	Host.exe
PID 3312 wrote to memory of 1152	3312	Host.exe	Host.exe
PID 3312 wrote to memory of 1152	3312	Host.exe	Host.exe
PID 3312 wrote to memory of 1152	3312	Host.exe	Host.exe
PID 3312 wrote to memory of 1152	3312	Host.exe	Host.exe
PID 3312 wrote to memory of 1152	3312	Host.exe	Host.exe
PID 3312 wrote to memory of 1152	3312	Host.exe	Host.exe
PID 3312 wrote to memory of 1152	3312	Host.exe	Host.exe
PID 3312 wrote to memory of 1152	3312	Host.exe	Host.exe
PID 3312 wrote to memory of 1152	3312	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
"C:\Users\Admin\AppData\Local\Temp\4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504

C:\Users\Admin\AppData\Local\Temp\4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
"{path}"
2⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
"{path}"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4452

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe" -m "C:\Users\Admin\AppData\Local\Temp\4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"{path}"
4⤵
- Executes dropped EXE
PID:4268

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"{path}"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
431KB

MD5
839a358056109761a9323444b0fd7984

SHA1
a82b91764532cbc42d96b98b096cefc0f4e21ede

SHA256
4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d

SHA512
5f6dd1ab2f5925e4fb15b810ea541d54e7a0748c2995b8b832b6f43c1acf4eacb673af65a149ee13fb54a86971f0034e60706f8dd894bf037e9937fe761fe386

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
431KB

MD5
839a358056109761a9323444b0fd7984

SHA1
a82b91764532cbc42d96b98b096cefc0f4e21ede

SHA256
4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d

SHA512
5f6dd1ab2f5925e4fb15b810ea541d54e7a0748c2995b8b832b6f43c1acf4eacb673af65a149ee13fb54a86971f0034e60706f8dd894bf037e9937fe761fe386

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
431KB

MD5
839a358056109761a9323444b0fd7984

SHA1
a82b91764532cbc42d96b98b096cefc0f4e21ede

SHA256
4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d

SHA512
5f6dd1ab2f5925e4fb15b810ea541d54e7a0748c2995b8b832b6f43c1acf4eacb673af65a149ee13fb54a86971f0034e60706f8dd894bf037e9937fe761fe386

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
431KB

MD5
839a358056109761a9323444b0fd7984

SHA1
a82b91764532cbc42d96b98b096cefc0f4e21ede

SHA256
4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d

SHA512
5f6dd1ab2f5925e4fb15b810ea541d54e7a0748c2995b8b832b6f43c1acf4eacb673af65a149ee13fb54a86971f0034e60706f8dd894bf037e9937fe761fe386

Download Submit
memory/1152-146-0x0000000000000000-mapping.dmp

Download
memory/1152-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-140-0x0000000000000000-mapping.dmp

Download
memory/3504-130-0x0000000000D10000-0x0000000000D82000-memory.dmp

Filesize
456KB

Download
memory/3504-134-0x0000000007D60000-0x0000000007DFC000-memory.dmp

Filesize
624KB

Download
memory/3504-133-0x0000000007AD0000-0x0000000007ADA000-memory.dmp

Filesize
40KB

Download
memory/3504-132-0x0000000007AF0000-0x0000000007B82000-memory.dmp

Filesize
584KB

Download
memory/3504-131-0x0000000007FC0000-0x0000000008564000-memory.dmp

Filesize
5.6MB

Download
memory/4268-144-0x0000000000000000-mapping.dmp

Download
memory/4452-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-136-0x0000000000000000-mapping.dmp

Download
memory/4860-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads