netwire | 6f1d138c47c7316460a6af976b2b6d9d6ee2387a6a256c0de6297a55336add5b

General

Target

DHL_RECE.exe
Size

381KB
MD5

a003c2bb955b2caab13a30f8e8827f09
SHA1

0a716bed3e668c0276910851465adb4fde6c0a49
SHA256

2936937ebeead6d1c9b62739331fd975248e2998fcf13c94ee817bbfe501a64b
SHA512

8e57ae74646718ca9ca60977daf132108f130dcc68771014e81cb38502f1f26335fcc251eaea5fafcdf3a55ba5f71758f86e24d44f349d31f7022acbcd7e232b

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral3/memory/1128-72-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Blocklisted process makes network request 64 IoCs

Processes:

cmd.exe

flow	pid	process
4	1128	cmd.exe
5	1128	cmd.exe
6	1128	cmd.exe
7	1128	cmd.exe
8	1128	cmd.exe
9	1128	cmd.exe
10	1128	cmd.exe
11	1128	cmd.exe
12	1128	cmd.exe
13	1128	cmd.exe
14	1128	cmd.exe
15	1128	cmd.exe
16	1128	cmd.exe
17	1128	cmd.exe
18	1128	cmd.exe
19	1128	cmd.exe
20	1128	cmd.exe
21	1128	cmd.exe
22	1128	cmd.exe
23	1128	cmd.exe
24	1128	cmd.exe
25	1128	cmd.exe
26	1128	cmd.exe
27	1128	cmd.exe
28	1128	cmd.exe
29	1128	cmd.exe
30	1128	cmd.exe
31	1128	cmd.exe
32	1128	cmd.exe
33	1128	cmd.exe
34	1128	cmd.exe
35	1128	cmd.exe
36	1128	cmd.exe
37	1128	cmd.exe
38	1128	cmd.exe
39	1128	cmd.exe
40	1128	cmd.exe
41	1128	cmd.exe
42	1128	cmd.exe
43	1128	cmd.exe
44	1128	cmd.exe
45	1128	cmd.exe
46	1128	cmd.exe
47	1128	cmd.exe
48	1128	cmd.exe
49	1128	cmd.exe
50	1128	cmd.exe
51	1128	cmd.exe
52	1128	cmd.exe
53	1128	cmd.exe
54	1128	cmd.exe
55	1128	cmd.exe
56	1128	cmd.exe
57	1128	cmd.exe
58	1128	cmd.exe
59	1128	cmd.exe
60	1128	cmd.exe
61	1128	cmd.exe
62	1128	cmd.exe
63	1128	cmd.exe
64	1128	cmd.exe
65	1128	cmd.exe
66	1128	cmd.exe
67	1128	cmd.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1300 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

1300 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1300 rundll32.exe

pid	process
1300	rundll32.exe

pid	process
1300	rundll32.exe

pid	process
1300	rundll32.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

DHL_RECE.exerundll32.exe

description	pid	process	target process
PID 1984 wrote to memory of 1300	1984	DHL_RECE.exe	rundll32.exe
PID 1984 wrote to memory of 1300	1984	DHL_RECE.exe	rundll32.exe
PID 1984 wrote to memory of 1300	1984	DHL_RECE.exe	rundll32.exe
PID 1984 wrote to memory of 1300	1984	DHL_RECE.exe	rundll32.exe
PID 1984 wrote to memory of 1300	1984	DHL_RECE.exe	rundll32.exe
PID 1984 wrote to memory of 1300	1984	DHL_RECE.exe	rundll32.exe
PID 1984 wrote to memory of 1300	1984	DHL_RECE.exe	rundll32.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe
PID 1300 wrote to memory of 1128	1300	rundll32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\DHL_RECE.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_RECE.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe KnowhowMove,Xylol
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Blocklisted process makes network request
PID:1128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Counterfoil
Filesize
202KB

MD5
7b15f5cea41c54e4b02255452673c114

SHA1
92a999c9dfe29ad8c19b705f5a30c25164784249

SHA256
b8ea5fcb8f5515a72d04775697eb8d838a5e6c2caa444ad679ae6154a0b7702c

SHA512
0614f136102d27e046ed95e52b91a7e379a641e2724292346b7640a045accb6afe423f13cd857dcfe231ed2a0945b89a4f6a8be9d7eb679a30591054c027f4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KnowhowMove.DLL
Filesize
72KB

MD5
11d85e62b99dbf03d47ac93ee60b6915

SHA1
97eb6906ee2026e923165e85f0ba64d100fe6532

SHA256
5c2048e13ad410ed7df298b7626ec1ddd9d0e428e3bb3f869e22713f821a10b8

SHA512
36940a2ac3a62c6247f3cd20a2db6400e0ee619e762135ac52cd9df6d2df81a5dac0311d078b2febdaad8dddb2efad03bd39d1e1aceb30750382c2d81e5925f1

Download Submit
\Users\Admin\AppData\Local\Temp\KnowhowMove.dll
Filesize
72KB

MD5
11d85e62b99dbf03d47ac93ee60b6915

SHA1
97eb6906ee2026e923165e85f0ba64d100fe6532

SHA256
5c2048e13ad410ed7df298b7626ec1ddd9d0e428e3bb3f869e22713f821a10b8

SHA512
36940a2ac3a62c6247f3cd20a2db6400e0ee619e762135ac52cd9df6d2df81a5dac0311d078b2febdaad8dddb2efad03bd39d1e1aceb30750382c2d81e5925f1

Download Submit
memory/1128-64-0x0000000000000000-mapping.dmp

Download
memory/1128-66-0x00000000774C0000-0x0000000077669000-memory.dmp

Filesize
1.7MB

Download
memory/1128-67-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/1128-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-55-0x0000000000000000-mapping.dmp

Download
memory/1300-60-0x0000000074860000-0x00000000748B8000-memory.dmp

Filesize
352KB

Download
memory/1300-62-0x0000000075E20000-0x0000000075E55000-memory.dmp

Filesize
212KB

Download
memory/1300-63-0x00000000774C0000-0x0000000077669000-memory.dmp

Filesize
1.7MB

Download
memory/1984-54-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads