netwire | b40a3c0aa371e80fb0cc86dfcb249a788f50260d490d950718f49c64e188a3b8

General

Target

QUOTE_93.exe
Size

433KB
MD5

d519b9590876fd0bc7fe7e62c1f14f9c
SHA1

930bc4718ace81ed9d029d1b99c1cd7cf53e2b95
SHA256

8d91a07cffa859ef14c1deaf86f49c25003f050d4fed1d18eee1cde88f292697
SHA512

9d644709fdce6b603a683b0d481abf005743e1a05198522a843c5b463b1414dbfc8785da52ebbf87acddda51eaf5fa336745cefbbf264f37c21ee8121cfbad39

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

185.103.96.151:6996

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
keylogger_dir
lock_executable
false
mutex
offline_keylogger
false
password
Ehimembano1@
registry_autorun
false
startup_name
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4804-135-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/4804-137-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/4804-138-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

QUOTE_93.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	QUOTE_93.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

QUOTE_93.exe

description pid process target process

PID 2816 set thread context of 4804 2816 QUOTE_93.exe QUOTE_93.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3428 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

QUOTE_93.exe

pid process

2816 QUOTE_93.exe
2816 QUOTE_93.exe
2816 QUOTE_93.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

QUOTE_93.exe

description pid process

Token: SeDebugPrivilege 2816 QUOTE_93.exe

description	pid	process	target process
PID 2816 set thread context of 4804	2816	QUOTE_93.exe	QUOTE_93.exe

pid	process
3428	schtasks.exe

pid	process
2816	QUOTE_93.exe
2816	QUOTE_93.exe
2816	QUOTE_93.exe

description	pid	process
Token: SeDebugPrivilege	2816	QUOTE_93.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

QUOTE_93.exe

description	pid	process	target process
PID 2816 wrote to memory of 3428	2816	QUOTE_93.exe	schtasks.exe
PID 2816 wrote to memory of 3428	2816	QUOTE_93.exe	schtasks.exe
PID 2816 wrote to memory of 3428	2816	QUOTE_93.exe	schtasks.exe
PID 2816 wrote to memory of 4592	2816	QUOTE_93.exe	QUOTE_93.exe
PID 2816 wrote to memory of 4592	2816	QUOTE_93.exe	QUOTE_93.exe
PID 2816 wrote to memory of 4592	2816	QUOTE_93.exe	QUOTE_93.exe
PID 2816 wrote to memory of 4804	2816	QUOTE_93.exe	QUOTE_93.exe
PID 2816 wrote to memory of 4804	2816	QUOTE_93.exe	QUOTE_93.exe
PID 2816 wrote to memory of 4804	2816	QUOTE_93.exe	QUOTE_93.exe
PID 2816 wrote to memory of 4804	2816	QUOTE_93.exe	QUOTE_93.exe
PID 2816 wrote to memory of 4804	2816	QUOTE_93.exe	QUOTE_93.exe
PID 2816 wrote to memory of 4804	2816	QUOTE_93.exe	QUOTE_93.exe
PID 2816 wrote to memory of 4804	2816	QUOTE_93.exe	QUOTE_93.exe
PID 2816 wrote to memory of 4804	2816	QUOTE_93.exe	QUOTE_93.exe
PID 2816 wrote to memory of 4804	2816	QUOTE_93.exe	QUOTE_93.exe
PID 2816 wrote to memory of 4804	2816	QUOTE_93.exe	QUOTE_93.exe
PID 2816 wrote to memory of 4804	2816	QUOTE_93.exe	QUOTE_93.exe

C:\Users\Admin\AppData\Local\Temp\QUOTE_93.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTE_93.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GtbksiCXNN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA127.tmp"
2⤵
- Creates scheduled task(s)
PID:3428

C:\Users\Admin\AppData\Local\Temp\QUOTE_93.exe
"{path}"
2⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\QUOTE_93.exe
"{path}"
2⤵
PID:4804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA127.tmp
Filesize
1KB

MD5
2cde70f2d8631a5b884d154e02638156

SHA1
e97c1193a0f58022ba41578f07deef24b65c0b5d

SHA256
13c1714c51135514d7444c22a28ecac800c9a973c3fa88ff3378ff5b0acd4abd

SHA512
00492309bec1813884e3a3cb255e7e015727656247ba35d607dbcb6132b2375530391df79c78da3e0472905a57e19c44f332104ca16222e2861547f14650677d

Download Submit
memory/2816-130-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/3428-131-0x0000000000000000-mapping.dmp

Download
memory/4592-133-0x0000000000000000-mapping.dmp

Download
memory/4804-134-0x0000000000000000-mapping.dmp

Download
memory/4804-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads