netwire | 47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb

General

Target

47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb.exe
Size

799KB
MD5

b365940d50152d199c01212ec79af7e2
SHA1

c4a69ce2c97e09501e89a41e539f075ab1795e6c
SHA256

47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb
SHA512

1978b4758d4b0aca1429efb58ef411d5ee7bd95e9e14bcd6765398764d689e73587dc4d64374e46756a5ac6f3b962ef4be74db3be78e3edcf9e004dfb4f9e43a

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/576-89-0x0000000000400000-0x000000000048D000-memory.dmp	netwire
behavioral1/memory/576-90-0x0000000000400000-0x0000000000425000-memory.dmp	netwire
behavioral1/memory/576-98-0x0000000000400000-0x000000000048D000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

PP_OUT~1.EXEhjfdsg.exehjfdsg.exe

pid process

1668 PP_OUT~1.EXE
1460 hjfdsg.exe
576 hjfdsg.exe
Loads dropped DLL 2 IoCs

Processes:

PP_OUT~1.EXE

pid process

1668 PP_OUT~1.EXE
1668 PP_OUT~1.EXE

pid	process
1668	PP_OUT~1.EXE
1460	hjfdsg.exe
576	hjfdsg.exe

pid	process
1668	PP_OUT~1.EXE
1668	PP_OUT~1.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjfdsg = "C:\\Users\\Admin\\hjfdsg\\hjfdsg.vbs -rb"	WScript.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

PP_OUT~1.EXEhjfdsg.exehjfdsg.exe

pid process

1668 PP_OUT~1.EXE
1460 hjfdsg.exe
576 hjfdsg.exe
576 hjfdsg.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

hjfdsg.exe

description pid process target process

PID 1460 set thread context of 576 1460 hjfdsg.exe hjfdsg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

PP_OUT~1.EXEhjfdsg.exe

pid process

1668 PP_OUT~1.EXE
1460 hjfdsg.exe

pid	process
1668	PP_OUT~1.EXE
1460	hjfdsg.exe
576	hjfdsg.exe
576	hjfdsg.exe

description	pid	process	target process
PID 1460 set thread context of 576	1460	hjfdsg.exe	hjfdsg.exe

pid	process
1668	PP_OUT~1.EXE
1460	hjfdsg.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb.exePP_OUT~1.EXEhjfdsg.exe

description	pid	process	target process
PID 1992 wrote to memory of 1668	1992	47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb.exe	PP_OUT~1.EXE
PID 1992 wrote to memory of 1668	1992	47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb.exe	PP_OUT~1.EXE
PID 1992 wrote to memory of 1668	1992	47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb.exe	PP_OUT~1.EXE
PID 1992 wrote to memory of 1668	1992	47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb.exe	PP_OUT~1.EXE
PID 1668 wrote to memory of 1640	1668	PP_OUT~1.EXE	WScript.exe
PID 1668 wrote to memory of 1640	1668	PP_OUT~1.EXE	WScript.exe
PID 1668 wrote to memory of 1640	1668	PP_OUT~1.EXE	WScript.exe
PID 1668 wrote to memory of 1640	1668	PP_OUT~1.EXE	WScript.exe
PID 1668 wrote to memory of 1460	1668	PP_OUT~1.EXE	hjfdsg.exe
PID 1668 wrote to memory of 1460	1668	PP_OUT~1.EXE	hjfdsg.exe
PID 1668 wrote to memory of 1460	1668	PP_OUT~1.EXE	hjfdsg.exe
PID 1668 wrote to memory of 1460	1668	PP_OUT~1.EXE	hjfdsg.exe
PID 1460 wrote to memory of 576	1460	hjfdsg.exe	hjfdsg.exe
PID 1460 wrote to memory of 576	1460	hjfdsg.exe	hjfdsg.exe
PID 1460 wrote to memory of 576	1460	hjfdsg.exe	hjfdsg.exe
PID 1460 wrote to memory of 576	1460	hjfdsg.exe	hjfdsg.exe

C:\Users\Admin\AppData\Local\Temp\47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb.exe
"C:\Users\Admin\AppData\Local\Temp\47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PP_OUT~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PP_OUT~1.EXE
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\hjfdsg\hjfdsg.vbs"
3⤵
- Adds Run key to start application
PID:1640

C:\Users\Admin\hjfdsg\hjfdsg.exe
"C:\Users\Admin\hjfdsg\hjfdsg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\hjfdsg\hjfdsg.exe
"C:\Users\Admin\hjfdsg\hjfdsg.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PP_OUT~1.EXE
Filesize
200.5MB

MD5
4c1c41c44069ab51c0d47263e1ceb81f

SHA1
f17d2ae0288e499dfcb1cb8e870c922166b797f5

SHA256
00369ab13b6d29e074383964b700653a68f57512edd2c4d704149c7f16bdb7a2

SHA512
d74f3c61707d0be8ac36ca815d73809f796a4790c629538ebaebd2969025acb28487b5baed8fbcf93c3ffb2ef5dd546e0168b79f56c38036767e46badb0b9714

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PP_OUT~1.EXE
Filesize
96.8MB

MD5
c6dd8c07b8824c9d79b9e2a104b62dd4

SHA1
fa96958a7bd4af1c8a72dda84184c9706f7028ef

SHA256
72de7ffeee257c4fb9889cbcfb6adababebd2df2aa61005a77bc482711165a1f

SHA512
70f39b20c324b05265eb91ab34e1a41df67de1308f13341a75a11f230ac38c280be145045e313cc18d8951f6274da517f107c8f711f589a3bccc05af3299fa1b

Download Submit
C:\Users\Admin\hjfdsg\hjfdsg.exe
Filesize
90.0MB

MD5
9f11448806edc7f7353067c5871c346c

SHA1
05fa619ca02c1f839b0129c151211e2300826279

SHA256
f24d3a312409a251f6e29ba17375039cb18e6de614a58202ba9262665312a1e3

SHA512
fce1e82c6653f64e066017bb66546227781b204adc449b40798d9fa650c997592f8191e9487f7b8e0927a42159fdde3c39be090fc79608a3ddf8cd8264c04e24

Download Submit
C:\Users\Admin\hjfdsg\hjfdsg.exe
Filesize
74.5MB

MD5
8193e6ea3a93645c653480cedc599f65

SHA1
3243d52faead2d8d0cc17549121518d2e57f4287

SHA256
76eedaee06b5b6de4b1d95fb4ca71a295c656eb54af11291ea53d012f243bd95

SHA512
803846a5a9f0b2d7ad14444a1adaa8a4f21501bb349b08d79d7ee4ac4393c02477dbb8c34c05ea59de5da007a9efc105ebacc264b9f14ca982897d836e51ea64

Download Submit
C:\Users\Admin\hjfdsg\hjfdsg.exe
Filesize
76.9MB

MD5
6271efd5bf3420b1f068819bdc5832e2

SHA1
ce7e97ec216e942f83d5ec79c1614481460ac135

SHA256
27ece64df79998c11f15ec39824c938f98c947d82ca91ea48c4ea4bcdaf75c1f

SHA512
4c28d4c168af6332c68052446055da41511f8b760bfc6562a438b2bcf81ae42ec310e77f1b2db5e514fc59e036c597210d4f659b94873d4f828cac9ccfb93b2f

Download Submit
C:\Users\Admin\hjfdsg\hjfdsg.vbs
Filesize
1020B

MD5
1b9304654e1f20648823de5c18f70b32

SHA1
34c2b00b34b22def3a1abf191554a75323fd7956

SHA256
9ddb09d2e4e9a1a2f716e07893f80cc0c97db638ffb24b7cd7b964df09ed490f

SHA512
2565377cda9266e5d0cff682516cd8622c06e71ac311adc7b03a85a59fa3b88948de5e2b6d0626d6df41dcda99debc353ba3f7c625007ddf0cdef72e63d5aea3

Download Submit
\Users\Admin\hjfdsg\hjfdsg.exe
Filesize
85.2MB

MD5
7b265c35540e74a71ba2ca5a6e211bb5

SHA1
ed539066f57e460bd3445a3defc48fad696b93ab

SHA256
5fa69715d1849bade31df2c5335473f81805c5cdacc1f88acccdfa53f508b259

SHA512
c3da0985e3a102ad15411e6356d6f18aa00ab979332cccb2ca7d95dbd8999f5c5c8f84442a746ca75fee6c6d40993ce19ae604ced2fa2d93e4b1de4245f5d610

Download Submit
\Users\Admin\hjfdsg\hjfdsg.exe
Filesize
88.3MB

MD5
17b9cc4febb2cd520814e1979be8f4a1

SHA1
aa368a9fce117bf6c312ed02ee893dd4d5891a76

SHA256
3ee6e3e9929c0286d91312956342bcc3e5e130385805597a44f166ac8920f1dd

SHA512
fc162d97d4fb3857f882cd92cbfc693a041a57409adb4a3c25c1b45f6b34210c94b451a73e2ca91db0b385a8ac56ca1cce5a56fde0bef148b5a39d78dfcae506

Download Submit
memory/576-90-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/576-88-0x0000000077640000-0x00000000777C0000-memory.dmp

Filesize
1.5MB

Download
memory/576-89-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/576-96-0x0000000000230000-0x0000000000248000-memory.dmp

Filesize
96KB

Download
memory/576-87-0x0000000077460000-0x0000000077609000-memory.dmp

Filesize
1.7MB

Download
memory/576-97-0x0000000077640000-0x00000000777C0000-memory.dmp

Filesize
1.5MB

Download
memory/576-98-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/576-82-0x0000000000477008-mapping.dmp

Download
memory/1460-69-0x0000000000000000-mapping.dmp

Download
memory/1460-84-0x0000000077640000-0x00000000777C0000-memory.dmp

Filesize
1.5MB

Download
memory/1460-79-0x0000000077460000-0x0000000077609000-memory.dmp

Filesize
1.7MB

Download
memory/1460-80-0x0000000077640000-0x00000000777C0000-memory.dmp

Filesize
1.5MB

Download
memory/1640-66-0x0000000000000000-mapping.dmp

Download
memory/1668-63-0x0000000000240000-0x0000000000258000-memory.dmp

Filesize
96KB

Download
memory/1668-75-0x0000000077640000-0x00000000777C0000-memory.dmp

Filesize
1.5MB

Download
memory/1668-70-0x0000000000240000-0x0000000000258000-memory.dmp

Filesize
96KB

Download
memory/1668-62-0x0000000077640000-0x00000000777C0000-memory.dmp

Filesize
1.5MB

Download
memory/1668-61-0x0000000077460000-0x0000000077609000-memory.dmp

Filesize
1.7MB

Download
memory/1668-60-0x00000000755C1000-0x00000000755C3000-memory.dmp

Filesize
8KB

Download
memory/1668-59-0x0000000000240000-0x0000000000258000-memory.dmp

Filesize
96KB

Download
memory/1668-55-0x0000000000000000-mapping.dmp

Download
memory/1992-54-0x000007FEFBCB1000-0x000007FEFBCB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads