netwire | 9530267408a020ad51d1152af9d09129f78ac294080ba334cc6843a9a44d07e6

General

Target

Proof of Payment.exe
Size

1.1MB
MD5

f818cb764aab5e0d02545172edf9d6a3
SHA1

019ed52ad6f7026e83ce7ed2c63d3ca62f3d9276
SHA256

5f2b6faf1de19342f874c50bad45b66727e24218cd8d2610f7d3fbb5d47cccab
SHA512

f4d635f57e2ed13b2f3a3ed057ed9da08bcda819c8925049d0b0fb60f3c9c461646c353d39f85766e6309b324a27f091aef3591fcdc49a1765648635a0acf1ab

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

154.16.93.182:3361

154.16.93.182:3368

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
south123456
registry_autorun
false
startup_name
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4448-138-0x0000000000500000-0x0000000000AC1000-memory.dmp	netwire
behavioral2/memory/4448-139-0x000000000050242D-mapping.dmp	netwire
behavioral2/memory/4448-142-0x0000000000500000-0x0000000000AC1000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

lblhvtsgb.pifRegSvcs.exe

pid process

1696 lblhvtsgb.pif
4448 RegSvcs.exe

pid	process
1696	lblhvtsgb.pif
4448	RegSvcs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Proof of Payment.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	Proof of Payment.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lblhvtsgb.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	lblhvtsgb.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\89835103\\LBLHVT~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\89835103\\dfvgx.mvn"	lblhvtsgb.pif

Suspicious use of SetThreadContext 1 IoCs

Processes:

lblhvtsgb.pif

description pid process target process

PID 1696 set thread context of 4448 1696 lblhvtsgb.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1696 set thread context of 4448	1696	lblhvtsgb.pif	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Proof of Payment.exelblhvtsgb.pif

description	pid	process	target process
PID 3148 wrote to memory of 1696	3148	Proof of Payment.exe	lblhvtsgb.pif
PID 3148 wrote to memory of 1696	3148	Proof of Payment.exe	lblhvtsgb.pif
PID 3148 wrote to memory of 1696	3148	Proof of Payment.exe	lblhvtsgb.pif
PID 1696 wrote to memory of 4448	1696	lblhvtsgb.pif	RegSvcs.exe
PID 1696 wrote to memory of 4448	1696	lblhvtsgb.pif	RegSvcs.exe
PID 1696 wrote to memory of 4448	1696	lblhvtsgb.pif	RegSvcs.exe
PID 1696 wrote to memory of 4448	1696	lblhvtsgb.pif	RegSvcs.exe
PID 1696 wrote to memory of 4448	1696	lblhvtsgb.pif	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe
"C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3148

C:\Users\Admin\AppData\Local\Temp\89835103\lblhvtsgb.pif
"C:\Users\Admin\AppData\Local\Temp\89835103\lblhvtsgb.pif" dfvgx.mvn
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
3⤵
- Executes dropped EXE
PID:4448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\89835103\dfvgx.mvn
Filesize
200.5MB

MD5
f71424726a0bbed041b9a75800af0741

SHA1
466d0636296ca0aaf6164ed2e0d92354ec79e18d

SHA256
7b34608b3c4c2fbc141e6deebb87df9c92d26533713e4ce00aae9f7a756f1fc9

SHA512
7b6b96c2a0f7ec0374cbf7fed42af7851c84a198f92e9b513ca9c8d7e3cd8cfc0f0409ed91981a6c2761d490067b5af23b0815a1282ee09a0ff95cdffeea4a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\89835103\lblhvtsgb.pif
Filesize
655KB

MD5
a75bc752c50fb74f7597c2bb59b93d43

SHA1
d2dcd3d104b6b04f0828844aeda188798669b41f

SHA256
877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee

SHA512
e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\89835103\lblhvtsgb.pif
Filesize
655KB

MD5
a75bc752c50fb74f7597c2bb59b93d43

SHA1
d2dcd3d104b6b04f0828844aeda188798669b41f

SHA256
877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee

SHA512
e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\89835103\sjsxnhqkmb.bmp
Filesize
375KB

MD5
500f2c5f0d04596b91e6a3ea5f1d5cfd

SHA1
07f36f97f40d4ffd1c4f18f47af950a95ffd1ad7

SHA256
f86645f528a3073e5f490d627dc35130f815ec0cf72fd1a3ddadd2830dbbd6e1

SHA512
3e18f06f47c2ae0e65f5af88c7c51c1b46ba57c5fd374da9dc2f99069a11a80c9b6bb44f084e02b239c542cf12fb656109eece97243dc4f0ff1bfc36043404cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
memory/1696-133-0x0000000000000000-mapping.dmp

Download
memory/4448-138-0x0000000000500000-0x0000000000AC1000-memory.dmp

Filesize
5.8MB

Download
memory/4448-139-0x000000000050242D-mapping.dmp

Download
memory/4448-142-0x0000000000500000-0x0000000000AC1000-memory.dmp

Filesize
5.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads