netwire | b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd

General

Target

b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe
Size

618KB
MD5

8c55cba01db3ea37db03917b97c49b2f
SHA1

e86a93f9b85527e330a2c03e01d243ce38231c09
SHA256

b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd
SHA512

801c578d0a5910210c16143aa1f7911a228d8f17c301773316c36b1ea42bbc9ef0c5b70cc363bcdf4df837f701f55fd23602c3fd025d70462912a6d871420efd

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

fdghfghdfghjhgjkgfgjh234569.ru:6974

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
a2nw
install_path
keylogger_dir
lock_executable
false
mutex
NrPiWfVe
offline_keylogger
false
password
rdfs34df32sdf
registry_autorun
false
startup_name
use_mutex
true

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2040-78-0x0000000000400000-0x0000000000425000-memory.dmp	netwire
behavioral1/memory/2040-79-0x0000000000400000-0x0000000000425000-memory.dmp	netwire
behavioral1/memory/2040-81-0x0000000000400000-0x0000000000425000-memory.dmp	netwire
behavioral1/memory/2040-82-0x0000000000400000-0x0000000000425000-memory.dmp	netwire
behavioral1/memory/2040-83-0x0000000000402570-mapping.dmp	netwire
behavioral1/memory/2040-86-0x0000000000400000-0x0000000000425000-memory.dmp	netwire
behavioral1/memory/2040-87-0x0000000000400000-0x0000000000425000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

sdvbcxs.exe

pid process

268 sdvbcxs.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1132 cmd.exe

pid	process
268	sdvbcxs.exe

pid	process
1132	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sdvbcxs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\sdvbcxs = "C:\\Users\\Admin\\AppData\\Local\\sdvbcxs.exe -boot"	sdvbcxs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

sdvbcxs.exe

description pid process target process

PID 268 set thread context of 2040 268 sdvbcxs.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 268 set thread context of 2040	268	sdvbcxs.exe	svchost.exe

NTFS ADS 5 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\sdvbcxs.exe\:Zone.Identifier:$DATA	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\sdvbcxs.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\sdvbcxs.exe:Zone.Identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exesdvbcxs.exe

description	pid	process
Token: SeDebugPrivilege	1172	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe
Token: SeDebugPrivilege	268	sdvbcxs.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.execmd.exesdvbcxs.exe

description	pid	process	target process
PID 1172 wrote to memory of 1392	1172	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 1172 wrote to memory of 1392	1172	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 1172 wrote to memory of 1392	1172	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 1172 wrote to memory of 1392	1172	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 1172 wrote to memory of 1704	1172	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 1172 wrote to memory of 1704	1172	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 1172 wrote to memory of 1704	1172	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 1172 wrote to memory of 1704	1172	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 1172 wrote to memory of 2028	1172	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 1172 wrote to memory of 2028	1172	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 1172 wrote to memory of 2028	1172	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 1172 wrote to memory of 2028	1172	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 1172 wrote to memory of 1132	1172	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 1172 wrote to memory of 1132	1172	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 1172 wrote to memory of 1132	1172	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 1172 wrote to memory of 1132	1172	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 1132 wrote to memory of 268	1132	cmd.exe	sdvbcxs.exe
PID 1132 wrote to memory of 268	1132	cmd.exe	sdvbcxs.exe
PID 1132 wrote to memory of 268	1132	cmd.exe	sdvbcxs.exe
PID 1132 wrote to memory of 268	1132	cmd.exe	sdvbcxs.exe
PID 1132 wrote to memory of 268	1132	cmd.exe	sdvbcxs.exe
PID 1132 wrote to memory of 268	1132	cmd.exe	sdvbcxs.exe
PID 1132 wrote to memory of 268	1132	cmd.exe	sdvbcxs.exe
PID 268 wrote to memory of 1056	268	sdvbcxs.exe	cmd.exe
PID 268 wrote to memory of 1056	268	sdvbcxs.exe	cmd.exe
PID 268 wrote to memory of 1056	268	sdvbcxs.exe	cmd.exe
PID 268 wrote to memory of 1056	268	sdvbcxs.exe	cmd.exe
PID 268 wrote to memory of 696	268	sdvbcxs.exe	cmd.exe
PID 268 wrote to memory of 696	268	sdvbcxs.exe	cmd.exe
PID 268 wrote to memory of 696	268	sdvbcxs.exe	cmd.exe
PID 268 wrote to memory of 696	268	sdvbcxs.exe	cmd.exe
PID 268 wrote to memory of 2040	268	sdvbcxs.exe	svchost.exe
PID 268 wrote to memory of 2040	268	sdvbcxs.exe	svchost.exe
PID 268 wrote to memory of 2040	268	sdvbcxs.exe	svchost.exe
PID 268 wrote to memory of 2040	268	sdvbcxs.exe	svchost.exe
PID 268 wrote to memory of 2040	268	sdvbcxs.exe	svchost.exe
PID 268 wrote to memory of 2040	268	sdvbcxs.exe	svchost.exe
PID 268 wrote to memory of 2040	268	sdvbcxs.exe	svchost.exe
PID 268 wrote to memory of 2040	268	sdvbcxs.exe	svchost.exe
PID 268 wrote to memory of 2040	268	sdvbcxs.exe	svchost.exe
PID 268 wrote to memory of 2040	268	sdvbcxs.exe	svchost.exe
PID 268 wrote to memory of 2040	268	sdvbcxs.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe
"C:\Users\Admin\AppData\Local\Temp\b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe:Zone.Identifier"
2⤵
- NTFS ADS
PID:1392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe:Zone.Identifier"
2⤵
- NTFS ADS
PID:1704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe" "C:\Users\Admin\AppData\Local\sdvbcxs.exe"
2⤵
- NTFS ADS
PID:2028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\sdvbcxs.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\AppData\Local\sdvbcxs.exe
"C:\Users\Admin\AppData\Local\sdvbcxs.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\sdvbcxs.exe:Zone.Identifier"
4⤵
- NTFS ADS
PID:1056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\sdvbcxs.exe:Zone.Identifier"
4⤵
- NTFS ADS
PID:696

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
4⤵
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\sdvbcxs.exe
Filesize
618KB

MD5
8c55cba01db3ea37db03917b97c49b2f

SHA1
e86a93f9b85527e330a2c03e01d243ce38231c09

SHA256
b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd

SHA512
801c578d0a5910210c16143aa1f7911a228d8f17c301773316c36b1ea42bbc9ef0c5b70cc363bcdf4df837f701f55fd23602c3fd025d70462912a6d871420efd

Download Submit
C:\Users\Admin\AppData\Local\sdvbcxs.exe
Filesize
618KB

MD5
8c55cba01db3ea37db03917b97c49b2f

SHA1
e86a93f9b85527e330a2c03e01d243ce38231c09

SHA256
b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd

SHA512
801c578d0a5910210c16143aa1f7911a228d8f17c301773316c36b1ea42bbc9ef0c5b70cc363bcdf4df837f701f55fd23602c3fd025d70462912a6d871420efd

Download Submit
\Users\Admin\AppData\Local\sdvbcxs.exe
Filesize
618KB

MD5
8c55cba01db3ea37db03917b97c49b2f

SHA1
e86a93f9b85527e330a2c03e01d243ce38231c09

SHA256
b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd

SHA512
801c578d0a5910210c16143aa1f7911a228d8f17c301773316c36b1ea42bbc9ef0c5b70cc363bcdf4df837f701f55fd23602c3fd025d70462912a6d871420efd

Download Submit
memory/268-72-0x0000000004960000-0x000000000496C000-memory.dmp

Filesize
48KB

Download
memory/268-68-0x0000000000E50000-0x0000000000EEE000-memory.dmp

Filesize
632KB

Download
memory/268-66-0x0000000000000000-mapping.dmp

Download
memory/696-71-0x0000000000000000-mapping.dmp

Download
memory/1056-70-0x0000000000000000-mapping.dmp

Download
memory/1132-63-0x0000000000000000-mapping.dmp

Download
memory/1172-61-0x0000000002060000-0x0000000002066000-memory.dmp

Filesize
24KB

Download
memory/1172-54-0x0000000000210000-0x00000000002AE000-memory.dmp

Filesize
632KB

Download
memory/1172-60-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/1172-58-0x0000000001FA0000-0x0000000001FAA000-memory.dmp

Filesize
40KB

Download
memory/1172-56-0x00000000755A1000-0x00000000755A3000-memory.dmp

Filesize
8KB

Download
memory/1172-55-0x00000000003C0000-0x00000000003EC000-memory.dmp

Filesize
176KB

Download
memory/1392-57-0x0000000000000000-mapping.dmp

Download
memory/1704-59-0x0000000000000000-mapping.dmp

Download
memory/2028-62-0x0000000000000000-mapping.dmp

Download
memory/2040-73-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2040-74-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2040-76-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2040-78-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2040-79-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2040-81-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2040-82-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2040-83-0x0000000000402570-mapping.dmp

Download
memory/2040-86-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2040-87-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads