netwire | afb777c3c1bbd190af137c193d61137833365f73c9e8915e15fa0bc260aecdb5

General

Target

INQUIRY.exe
Size

259KB
MD5

f652086d83ccc25c14bbcebb9229cbd4
SHA1

cadd3972915bd7ffee7442c8b60ff6acc156705e
SHA256

9a6951c6f3c33c217edd9a4e32f5422c4e125b909d0c88e190b76eb695f05b72
SHA512

1fb741fe778c749d465cea204739519bf2a4bad4121d472f3ada7bbd8c7d3f09fb43eb7a3e81c0de88105bc89d1ba32254ef41bc96d13b12920e796a6cee8d0c

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

194.5.97.109:3360

Attributes

activex_autorun
false
activex_key
copy_executable
true
delete_original
true
host_id
MAZI
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
Password
registry_autorun
false
startup_name
use_mutex
false

Signatures

NetWire RAT payload 11 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1748-63-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1748-64-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1748-65-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1748-67-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1748-68-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1748-69-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/1748-72-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1748-77-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1708-93-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/1708-98-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1708-99-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1788 Host.exe
1708 Host.exe
Loads dropped DLL 2 IoCs

Processes:

INQUIRY.exe

pid process

1748 INQUIRY.exe
1748 INQUIRY.exe

pid	process
1788	Host.exe
1708	Host.exe

pid	process
1748	INQUIRY.exe
1748	INQUIRY.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

INQUIRY.exeHost.exe

description	pid	process	target process
PID 1984 set thread context of 1748	1984	INQUIRY.exe	INQUIRY.exe
PID 1788 set thread context of 1708	1788	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1744 schtasks.exe
396 schtasks.exe

pid	process
1744	schtasks.exe
396	schtasks.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

INQUIRY.exeINQUIRY.exeHost.exe

description	pid	process	target process
PID 1984 wrote to memory of 1744	1984	INQUIRY.exe	schtasks.exe
PID 1984 wrote to memory of 1744	1984	INQUIRY.exe	schtasks.exe
PID 1984 wrote to memory of 1744	1984	INQUIRY.exe	schtasks.exe
PID 1984 wrote to memory of 1744	1984	INQUIRY.exe	schtasks.exe
PID 1984 wrote to memory of 1748	1984	INQUIRY.exe	INQUIRY.exe
PID 1984 wrote to memory of 1748	1984	INQUIRY.exe	INQUIRY.exe
PID 1984 wrote to memory of 1748	1984	INQUIRY.exe	INQUIRY.exe
PID 1984 wrote to memory of 1748	1984	INQUIRY.exe	INQUIRY.exe
PID 1984 wrote to memory of 1748	1984	INQUIRY.exe	INQUIRY.exe
PID 1984 wrote to memory of 1748	1984	INQUIRY.exe	INQUIRY.exe
PID 1984 wrote to memory of 1748	1984	INQUIRY.exe	INQUIRY.exe
PID 1984 wrote to memory of 1748	1984	INQUIRY.exe	INQUIRY.exe
PID 1984 wrote to memory of 1748	1984	INQUIRY.exe	INQUIRY.exe
PID 1984 wrote to memory of 1748	1984	INQUIRY.exe	INQUIRY.exe
PID 1984 wrote to memory of 1748	1984	INQUIRY.exe	INQUIRY.exe
PID 1984 wrote to memory of 1748	1984	INQUIRY.exe	INQUIRY.exe
PID 1748 wrote to memory of 1788	1748	INQUIRY.exe	Host.exe
PID 1748 wrote to memory of 1788	1748	INQUIRY.exe	Host.exe
PID 1748 wrote to memory of 1788	1748	INQUIRY.exe	Host.exe
PID 1748 wrote to memory of 1788	1748	INQUIRY.exe	Host.exe
PID 1788 wrote to memory of 396	1788	Host.exe	schtasks.exe
PID 1788 wrote to memory of 396	1788	Host.exe	schtasks.exe
PID 1788 wrote to memory of 396	1788	Host.exe	schtasks.exe
PID 1788 wrote to memory of 396	1788	Host.exe	schtasks.exe
PID 1788 wrote to memory of 1708	1788	Host.exe	Host.exe
PID 1788 wrote to memory of 1708	1788	Host.exe	Host.exe
PID 1788 wrote to memory of 1708	1788	Host.exe	Host.exe
PID 1788 wrote to memory of 1708	1788	Host.exe	Host.exe
PID 1788 wrote to memory of 1708	1788	Host.exe	Host.exe
PID 1788 wrote to memory of 1708	1788	Host.exe	Host.exe
PID 1788 wrote to memory of 1708	1788	Host.exe	Host.exe
PID 1788 wrote to memory of 1708	1788	Host.exe	Host.exe
PID 1788 wrote to memory of 1708	1788	Host.exe	Host.exe
PID 1788 wrote to memory of 1708	1788	Host.exe	Host.exe
PID 1788 wrote to memory of 1708	1788	Host.exe	Host.exe
PID 1788 wrote to memory of 1708	1788	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VSkCPulZoc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE6.tmp"
2⤵
- Creates scheduled task(s)
PID:1744

C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe" -m "C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VSkCPulZoc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp166E.tmp"
4⤵
- Creates scheduled task(s)
PID:396

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
PID:1708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp166E.tmp
Filesize
1KB

MD5
8d240a19b883a8d6f163bbc38a081f06

SHA1
fbd46c3a1c5959643f942ab2e1284fd3b969325a

SHA256
a0b897d8d53929929a2f644bcb05b53b852240e95830547b91b576137cd5b346

SHA512
0f8367e23630661580c4388bb0d9abfcbfa68c79c3e07f5059cf88a08e438a7cc63caa792d0aad98cf22a24e9ed5b4ef36164c996593b0bcc26a12f335c97013

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE6.tmp
Filesize
1KB

MD5
8d240a19b883a8d6f163bbc38a081f06

SHA1
fbd46c3a1c5959643f942ab2e1284fd3b969325a

SHA256
a0b897d8d53929929a2f644bcb05b53b852240e95830547b91b576137cd5b346

SHA512
0f8367e23630661580c4388bb0d9abfcbfa68c79c3e07f5059cf88a08e438a7cc63caa792d0aad98cf22a24e9ed5b4ef36164c996593b0bcc26a12f335c97013

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
259KB

MD5
f652086d83ccc25c14bbcebb9229cbd4

SHA1
cadd3972915bd7ffee7442c8b60ff6acc156705e

SHA256
9a6951c6f3c33c217edd9a4e32f5422c4e125b909d0c88e190b76eb695f05b72

SHA512
1fb741fe778c749d465cea204739519bf2a4bad4121d472f3ada7bbd8c7d3f09fb43eb7a3e81c0de88105bc89d1ba32254ef41bc96d13b12920e796a6cee8d0c

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
259KB

MD5
f652086d83ccc25c14bbcebb9229cbd4

SHA1
cadd3972915bd7ffee7442c8b60ff6acc156705e

SHA256
9a6951c6f3c33c217edd9a4e32f5422c4e125b909d0c88e190b76eb695f05b72

SHA512
1fb741fe778c749d465cea204739519bf2a4bad4121d472f3ada7bbd8c7d3f09fb43eb7a3e81c0de88105bc89d1ba32254ef41bc96d13b12920e796a6cee8d0c

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
259KB

MD5
f652086d83ccc25c14bbcebb9229cbd4

SHA1
cadd3972915bd7ffee7442c8b60ff6acc156705e

SHA256
9a6951c6f3c33c217edd9a4e32f5422c4e125b909d0c88e190b76eb695f05b72

SHA512
1fb741fe778c749d465cea204739519bf2a4bad4121d472f3ada7bbd8c7d3f09fb43eb7a3e81c0de88105bc89d1ba32254ef41bc96d13b12920e796a6cee8d0c

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
259KB

MD5
f652086d83ccc25c14bbcebb9229cbd4

SHA1
cadd3972915bd7ffee7442c8b60ff6acc156705e

SHA256
9a6951c6f3c33c217edd9a4e32f5422c4e125b909d0c88e190b76eb695f05b72

SHA512
1fb741fe778c749d465cea204739519bf2a4bad4121d472f3ada7bbd8c7d3f09fb43eb7a3e81c0de88105bc89d1ba32254ef41bc96d13b12920e796a6cee8d0c

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
259KB

MD5
f652086d83ccc25c14bbcebb9229cbd4

SHA1
cadd3972915bd7ffee7442c8b60ff6acc156705e

SHA256
9a6951c6f3c33c217edd9a4e32f5422c4e125b909d0c88e190b76eb695f05b72

SHA512
1fb741fe778c749d465cea204739519bf2a4bad4121d472f3ada7bbd8c7d3f09fb43eb7a3e81c0de88105bc89d1ba32254ef41bc96d13b12920e796a6cee8d0c

Download Submit
memory/396-80-0x0000000000000000-mapping.dmp

Download
memory/1708-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-93-0x000000000040242D-mapping.dmp

Download
memory/1744-55-0x0000000000000000-mapping.dmp

Download
memory/1748-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-69-0x000000000040242D-mapping.dmp

Download
memory/1748-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-59-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-97-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/1788-75-0x0000000000000000-mapping.dmp

Download
memory/1984-54-0x00000000752D1000-0x00000000752D3000-memory.dmp

Filesize
8KB

Download
memory/1984-58-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads