netwire | 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822

General

Target

39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
Size

604KB
MD5

709f957e6dbe9b0c1457e92aa4cc48d6
SHA1

204d345363fd5d0d78d436d3d67cab1c335273ce
SHA256

39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822
SHA512

be56e882e28835c8e6c043d39d59510f3b3a6ce03517095c9d24c8fbca02a6d91c98bf4bd83579b3078fde4147201b010611959d5bb5cc2adfda24a5c2a3ba4f

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

emthai.ddns.net:3365

emthai.ddns.net:1076

Attributes

activex_autorun
false
copy_executable
true
delete_original
true
host_id
HostId-%Emathai%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
nOQDdboC
offline_keylogger
true
password
emthai18
registry_autorun
true
startup_name
Java_Updates
use_mutex
true

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/688-133-0x0000000000000000-mapping.dmp	netwire
behavioral2/memory/688-135-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/688-136-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/688-137-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4988-143-0x0000000000000000-mapping.dmp	netwire
behavioral2/memory/4988-147-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4988-148-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

2288 Host.exe
4988 Host.exe

pid	process
2288	Host.exe
4988	Host.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java_Updates = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exeHost.exe

pid process

4416 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
2288 Host.exe

pid	process
4416	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
2288	Host.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exeHost.exe

description	pid	process	target process
PID 4416 wrote to memory of 688	4416	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
PID 4416 wrote to memory of 688	4416	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
PID 4416 wrote to memory of 688	4416	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
PID 4416 wrote to memory of 688	4416	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
PID 4416 wrote to memory of 688	4416	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
PID 4416 wrote to memory of 688	4416	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
PID 4416 wrote to memory of 688	4416	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
PID 4416 wrote to memory of 688	4416	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
PID 4416 wrote to memory of 688	4416	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
PID 4416 wrote to memory of 688	4416	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
PID 4416 wrote to memory of 688	4416	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
PID 4416 wrote to memory of 688	4416	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
PID 4416 wrote to memory of 688	4416	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
PID 4416 wrote to memory of 688	4416	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
PID 4416 wrote to memory of 688	4416	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
PID 4416 wrote to memory of 688	4416	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
PID 4416 wrote to memory of 688	4416	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
PID 688 wrote to memory of 2288	688	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe	Host.exe
PID 688 wrote to memory of 2288	688	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe	Host.exe
PID 688 wrote to memory of 2288	688	39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe	Host.exe
PID 2288 wrote to memory of 4988	2288	Host.exe	Host.exe
PID 2288 wrote to memory of 4988	2288	Host.exe	Host.exe
PID 2288 wrote to memory of 4988	2288	Host.exe	Host.exe
PID 2288 wrote to memory of 4988	2288	Host.exe	Host.exe
PID 2288 wrote to memory of 4988	2288	Host.exe	Host.exe
PID 2288 wrote to memory of 4988	2288	Host.exe	Host.exe
PID 2288 wrote to memory of 4988	2288	Host.exe	Host.exe
PID 2288 wrote to memory of 4988	2288	Host.exe	Host.exe
PID 2288 wrote to memory of 4988	2288	Host.exe	Host.exe
PID 2288 wrote to memory of 4988	2288	Host.exe	Host.exe
PID 2288 wrote to memory of 4988	2288	Host.exe	Host.exe
PID 2288 wrote to memory of 4988	2288	Host.exe	Host.exe
PID 2288 wrote to memory of 4988	2288	Host.exe	Host.exe
PID 2288 wrote to memory of 4988	2288	Host.exe	Host.exe
PID 2288 wrote to memory of 4988	2288	Host.exe	Host.exe
PID 2288 wrote to memory of 4988	2288	Host.exe	Host.exe
PID 2288 wrote to memory of 4988	2288	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
"C:\Users\Admin\AppData\Local\Temp\39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4416

C:\Users\Admin\AppData\Local\Temp\39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
"C:\Users\Admin\AppData\Local\Temp\39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:688

C:\Users\Admin\AppData\Roaming\Install\Host.exe
-m "C:\Users\Admin\AppData\Local\Temp\39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288

C:\Users\Admin\AppData\Roaming\Install\Host.exe
-m "C:\Users\Admin\AppData\Local\Temp\39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
604KB

MD5
709f957e6dbe9b0c1457e92aa4cc48d6

SHA1
204d345363fd5d0d78d436d3d67cab1c335273ce

SHA256
39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822

SHA512
be56e882e28835c8e6c043d39d59510f3b3a6ce03517095c9d24c8fbca02a6d91c98bf4bd83579b3078fde4147201b010611959d5bb5cc2adfda24a5c2a3ba4f

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
604KB

MD5
709f957e6dbe9b0c1457e92aa4cc48d6

SHA1
204d345363fd5d0d78d436d3d67cab1c335273ce

SHA256
39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822

SHA512
be56e882e28835c8e6c043d39d59510f3b3a6ce03517095c9d24c8fbca02a6d91c98bf4bd83579b3078fde4147201b010611959d5bb5cc2adfda24a5c2a3ba4f

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
604KB

MD5
709f957e6dbe9b0c1457e92aa4cc48d6

SHA1
204d345363fd5d0d78d436d3d67cab1c335273ce

SHA256
39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822

SHA512
be56e882e28835c8e6c043d39d59510f3b3a6ce03517095c9d24c8fbca02a6d91c98bf4bd83579b3078fde4147201b010611959d5bb5cc2adfda24a5c2a3ba4f

Download Submit
memory/688-137-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/688-136-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/688-135-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/688-133-0x0000000000000000-mapping.dmp

Download
memory/2288-138-0x0000000000000000-mapping.dmp

Download
memory/4416-132-0x0000000002260000-0x0000000002266000-memory.dmp

Filesize
24KB

Download
memory/4416-134-0x0000000002260000-0x0000000002266000-memory.dmp

Filesize
24KB

Download
memory/4988-143-0x0000000000000000-mapping.dmp

Download
memory/4988-147-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4988-148-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads