netwire | 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651

General

Target

3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe
Size

813KB
MD5

c78cc437caa7edfc9c3494c58b017e8a
SHA1

61cbbf0bef3c282c12a88fa927ce1447caffb3f7
SHA256

3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651
SHA512

bf049956c7cbf887820027f658a89f3833dccef089b50beaf3d60b8a8e539947728710d218a03d5948e9ae9b15e6640557425822daa57ef4b248bba7e81431f5

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

blackhills.ddns.net:1030

213.183.58.34:1031

Attributes

activex_autorun
false
copy_executable
true
delete_original
true
host_id
Lord Of Sabbath
install_path
%AppData%\Roaming\svchost.exe
lock_executable
true
mutex
conhost
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4460-134-0x0000000000000000-mapping.dmp	netwire
behavioral2/memory/4460-136-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/4460-138-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/4460-141-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/4460-145-0x0000000000400000-0x0000000000420000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

4812 svchost.exe

pid	process
4812	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe

description	pid	process	target process
PID 916 set thread context of 4460	916	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	svchost.exe

Drops file in Program Files directory 24 IoCs

Processes:

java.exejavaw.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	java.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1740 schtasks.exe

pid	process
1740	schtasks.exe

Modifies registry class 1 IoCs

Processes:

3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exesvchost.exejavaw.exe

description	pid	process	target process
PID 916 wrote to memory of 1740	916	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	schtasks.exe
PID 916 wrote to memory of 1740	916	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	schtasks.exe
PID 916 wrote to memory of 1740	916	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	schtasks.exe
PID 916 wrote to memory of 4460	916	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	svchost.exe
PID 916 wrote to memory of 4460	916	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	svchost.exe
PID 916 wrote to memory of 4460	916	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	svchost.exe
PID 916 wrote to memory of 4460	916	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	svchost.exe
PID 916 wrote to memory of 4460	916	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	svchost.exe
PID 916 wrote to memory of 4460	916	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	svchost.exe
PID 916 wrote to memory of 4460	916	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	svchost.exe
PID 916 wrote to memory of 4460	916	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	svchost.exe
PID 916 wrote to memory of 4460	916	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	svchost.exe
PID 4460 wrote to memory of 4812	4460	svchost.exe	svchost.exe
PID 4460 wrote to memory of 4812	4460	svchost.exe	svchost.exe
PID 4460 wrote to memory of 4812	4460	svchost.exe	svchost.exe
PID 916 wrote to memory of 4452	916	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	javaw.exe
PID 916 wrote to memory of 4452	916	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	javaw.exe
PID 4452 wrote to memory of 2152	4452	javaw.exe	java.exe
PID 4452 wrote to memory of 2152	4452	javaw.exe	java.exe

C:\Users\Admin\AppData\Local\Temp\3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe
"C:\Users\Admin\AppData\Local\Temp\3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "ALGKF\ALGKF" /XML "C:\Users\Admin\AppData\Roaming\ALGKF\aOOOOO.xml"
2⤵
- Creates scheduled task(s)
PID:1740

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4460

C:\Users\Admin\AppData\Roaming\Roaming\svchost.exe
-m "C:\Windows\SysWOW64\svchost.exe"
3⤵
- Executes dropped EXE
PID:4812

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\EAWET.jar"
2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4452

C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.3906858704923446546710497355773653.class
3⤵
- Drops file in Program Files directory
PID:2152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
Filesize
50B

MD5
8f5d0c9e226a450b9170d10bcadd68e2

SHA1
174ad28520d9aedd6d6f7e0e05c878581ac37556

SHA256
ef7f258cb736b42b6b7648401d6a62b0de1a6778d070fbeff1a6fb4e8001f20d

SHA512
3438a1331638bdb686ad110cf21457c68aeefc541b6d0ae135ba334adda83415094c8e2ee65f8d2f4cc03bf4f9edb048a69e0b8fc2dadf76d9fbef00fb40ef24

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAWET.jar
Filesize
473KB

MD5
d6d2b3e890041545cc409ab31157aa1a

SHA1
5b569bce8f9f00b2ce684738496cbffc908131f7

SHA256
fea9e7094bc95dc152f595f7b45c78ec15a76fc6ceec9812d38de6c601c4170e

SHA512
16419ec9491e8fc85a5ea7b71234e656cc33dd95703bbb6c2b05d2edf50f8f58f9bab624d395cd64e28d4ac56eb7af24f97264b79fe12d9bce4d2df1257c6ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.3906858704923446546710497355773653.class
Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\ALGKF\aOOOOO.xml
Filesize
1KB

MD5
244445d8e0121079b25f44d0b527e333

SHA1
10853217b97d2b256083e9756444552c05d7b8da

SHA256
2833be5ffc4003f66bb2d3ea80556d89cd393f4453ad269efedb4707416b9e6c

SHA512
c2a87f1f7a50eef4384e3e5d29add3e5fe841f4026d75847b83ab5a117d09694e6a29412ef82a143bad139b5ac62c7e716f38a5d74baee58d2515fcc3f2d570b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3751123196-3323558407-1869646069-1000\83aa4cc77f591dfc2374580bbd95f6ba_6bb404a8-25bc-4cef-a831-797f8d1e89c0
Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\Roaming\svchost.exe
Filesize
45KB

MD5
b7c999040d80e5bf87886d70d992c51e

SHA1
a8ed9a51cc14ccf99b670e60ebbc110756504929

SHA256
5c3257b277f160109071e7e716040e67657341d8c42aa68d9afafe1630fcc53e

SHA512
71ba2fbd705e51b488afe3bb33a67212cf297e97e8b1b20ada33e16956f7ec8f89a79e04a4b256fd61a442fada690aff0c807c2bdcc9165a9c7be3de725de309

Download Submit
memory/916-131-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/916-130-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/916-147-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/1740-132-0x0000000000000000-mapping.dmp

Download
memory/2152-170-0x0000000002AA0000-0x0000000003AA0000-memory.dmp

Filesize
16.0MB

Download
memory/2152-158-0x0000000000000000-mapping.dmp

Download
memory/4452-157-0x00000000029A0000-0x00000000039A0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-143-0x0000000000000000-mapping.dmp

Download
memory/4452-179-0x00000000029A0000-0x00000000039A0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-180-0x00000000029A0000-0x00000000039A0000-memory.dmp

Filesize
16.0MB

Download
memory/4460-145-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4460-141-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4460-138-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4460-135-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4460-136-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4460-134-0x0000000000000000-mapping.dmp

Download
memory/4812-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads