netwire | 3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2

General

Target

3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe
Size

245KB
MD5

0eee0f4cc5461af94ac39590ea0b8ac9
SHA1

9072cb614aef5c9c2d38d2846bb3c625a9f65ecb
SHA256

3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2
SHA512

2e926acde54ef8bf3f4ad0cb21ed6487c614fdee49be63190a9a8436db54d8d9df617ad2babf886df5af8ecb056e6b54d97e2d4ab43d11d5978748be8e8cb1ec

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

netzirecolq.gleeze.com:3372

Attributes

activex_autorun
true
activex_key
{ILC0D6DW-314A-58FX-3U05-C35QOA66D730}
copy_executable
false
delete_original
true
host_id
3372
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
fCnYKSgn
offline_keylogger
true
password
10203010Aa
registry_autorun
true
startup_name
Defender
use_mutex
true

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1612-62-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1612-63-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1612-65-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1612-66-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1612-67-0x0000000000402BCB-mapping.dmp	netwire
behavioral1/memory/1612-70-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1612-71-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ILC0D6DW-314A-58FX-3U05-C35QOA66D730}	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ILC0D6DW-314A-58FX-3U05-C35QOA66D730}\StubPath = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe\""	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Defender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe"	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe

description	pid	process	target process
PID 2000 set thread context of 1612	2000	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe

description pid process

Token: SeDebugPrivilege 2000 3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe

description	pid	process
Token: SeDebugPrivilege	2000	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe

description	pid	process	target process
PID 2000 wrote to memory of 1612	2000	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe
PID 2000 wrote to memory of 1612	2000	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe
PID 2000 wrote to memory of 1612	2000	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe
PID 2000 wrote to memory of 1612	2000	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe
PID 2000 wrote to memory of 1612	2000	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe
PID 2000 wrote to memory of 1612	2000	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe
PID 2000 wrote to memory of 1612	2000	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe
PID 2000 wrote to memory of 1612	2000	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe
PID 2000 wrote to memory of 1612	2000	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe
PID 2000 wrote to memory of 1612	2000	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe
PID 2000 wrote to memory of 1612	2000	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe	3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe

C:\Users\Admin\AppData\Local\Temp\3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe
"C:\Users\Admin\AppData\Local\Temp\3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe
"C:\Users\Admin\AppData\Local\Temp\3f7e5239a328af7e3865e8340d40a892748da42c5f1343264d173f1b9f7d51d2.exe"
2⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1612-62-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1612-65-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1612-71-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1612-57-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1612-58-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1612-60-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1612-70-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1612-69-0x0000000075221000-0x0000000075223000-memory.dmp

Filesize
8KB

Download
memory/1612-67-0x0000000000402BCB-mapping.dmp

Download
memory/1612-66-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1612-63-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2000-54-0x0000000000DF0000-0x0000000000E34000-memory.dmp

Filesize
272KB

Download
memory/2000-55-0x0000000000470000-0x00000000004D4000-memory.dmp

Filesize
400KB

Download
memory/2000-56-0x00000000001C0000-0x00000000001E2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads