netwire | 3ec9e490b353d5e97d6ccc87f213e3031e35657f421b5cb4a115b77586d0101d

General

Target

3ec9e490b353d5e97d6ccc87f213e3031e35657f421b5cb4a115b77586d0101d.exe
Size

632KB
MD5

ca54b45fd7a57962114be53148aa1c04
SHA1

d839665971f82acb1ac2772af36eea98685f36a8
SHA256

3ec9e490b353d5e97d6ccc87f213e3031e35657f421b5cb4a115b77586d0101d
SHA512

26645284fd9f5b902c4ecfa0322cfba44c56b259cf283d7abb7ae890a8601948852ed497025274e69b35319b8ef15543500cabd770da4930ceaa0d92c80ec1b4

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

ddns.catamosky.biz:4886

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
APRIL
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Trinidado1@
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1952-70-0x0000000000000000-mapping.dmp	netwire
behavioral1/memory/1952-72-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1952-76-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1952-77-0x0000000000401000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1952-78-0x0000000000401000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1952-79-0x0000000000401000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1952-80-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1952-81-0x0000000000401000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

oturaaa.exeoturaaa.exe

pid process

1176 oturaaa.exe
1952 oturaaa.exe
Loads dropped DLL 3 IoCs

Processes:

WScript.exeoturaaa.exe

pid process

2036 WScript.exe
2036 WScript.exe
1176 oturaaa.exe

pid	process
1176	oturaaa.exe
1952	oturaaa.exe

pid	process
2036	WScript.exe
2036	WScript.exe
1176	oturaaa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oturaaa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oturaaa\\oturaaa.vbs"	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

oturaaa.exe

description pid process target process

PID 1176 set thread context of 1952 1176 oturaaa.exe oturaaa.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3ec9e490b353d5e97d6ccc87f213e3031e35657f421b5cb4a115b77586d0101d.exeoturaaa.exe

pid process

924 3ec9e490b353d5e97d6ccc87f213e3031e35657f421b5cb4a115b77586d0101d.exe
1176 oturaaa.exe

description	pid	process	target process
PID 1176 set thread context of 1952	1176	oturaaa.exe	oturaaa.exe

pid	process
924	3ec9e490b353d5e97d6ccc87f213e3031e35657f421b5cb4a115b77586d0101d.exe
1176	oturaaa.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

3ec9e490b353d5e97d6ccc87f213e3031e35657f421b5cb4a115b77586d0101d.exeWScript.exeoturaaa.exe

description	pid	process	target process
PID 924 wrote to memory of 2036	924	3ec9e490b353d5e97d6ccc87f213e3031e35657f421b5cb4a115b77586d0101d.exe	WScript.exe
PID 924 wrote to memory of 2036	924	3ec9e490b353d5e97d6ccc87f213e3031e35657f421b5cb4a115b77586d0101d.exe	WScript.exe
PID 924 wrote to memory of 2036	924	3ec9e490b353d5e97d6ccc87f213e3031e35657f421b5cb4a115b77586d0101d.exe	WScript.exe
PID 924 wrote to memory of 2036	924	3ec9e490b353d5e97d6ccc87f213e3031e35657f421b5cb4a115b77586d0101d.exe	WScript.exe
PID 2036 wrote to memory of 1176	2036	WScript.exe	oturaaa.exe
PID 2036 wrote to memory of 1176	2036	WScript.exe	oturaaa.exe
PID 2036 wrote to memory of 1176	2036	WScript.exe	oturaaa.exe
PID 2036 wrote to memory of 1176	2036	WScript.exe	oturaaa.exe
PID 1176 wrote to memory of 1952	1176	oturaaa.exe	oturaaa.exe
PID 1176 wrote to memory of 1952	1176	oturaaa.exe	oturaaa.exe
PID 1176 wrote to memory of 1952	1176	oturaaa.exe	oturaaa.exe
PID 1176 wrote to memory of 1952	1176	oturaaa.exe	oturaaa.exe
PID 1176 wrote to memory of 1952	1176	oturaaa.exe	oturaaa.exe
PID 1176 wrote to memory of 1952	1176	oturaaa.exe	oturaaa.exe
PID 1176 wrote to memory of 1952	1176	oturaaa.exe	oturaaa.exe
PID 1176 wrote to memory of 1952	1176	oturaaa.exe	oturaaa.exe
PID 1176 wrote to memory of 1952	1176	oturaaa.exe	oturaaa.exe
PID 1176 wrote to memory of 1952	1176	oturaaa.exe	oturaaa.exe
PID 1176 wrote to memory of 1952	1176	oturaaa.exe	oturaaa.exe
PID 1176 wrote to memory of 1952	1176	oturaaa.exe	oturaaa.exe
PID 1176 wrote to memory of 1952	1176	oturaaa.exe	oturaaa.exe
PID 1176 wrote to memory of 1952	1176	oturaaa.exe	oturaaa.exe
PID 1176 wrote to memory of 1952	1176	oturaaa.exe	oturaaa.exe
PID 1176 wrote to memory of 1952	1176	oturaaa.exe	oturaaa.exe
PID 1176 wrote to memory of 1952	1176	oturaaa.exe	oturaaa.exe
PID 1176 wrote to memory of 1952	1176	oturaaa.exe	oturaaa.exe

C:\Users\Admin\AppData\Local\Temp\3ec9e490b353d5e97d6ccc87f213e3031e35657f421b5cb4a115b77586d0101d.exe
"C:\Users\Admin\AppData\Local\Temp\3ec9e490b353d5e97d6ccc87f213e3031e35657f421b5cb4a115b77586d0101d.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\oturaaa\oturaaa.vbs"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\oturaaa\oturaaa.exe
"C:\Users\Admin\AppData\Local\Temp\oturaaa\oturaaa.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Local\Temp\oturaaa\oturaaa.exe
"C:\Users\Admin\AppData\Local\Temp\oturaaa\oturaaa.exe"
4⤵
- Executes dropped EXE
PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oturaaa\oturaaa.exe

Filesize
632KB

MD5
2adb7449a29781086ca9fefb912f7597

SHA1
8bbb58bd5d195c5965d673820a418e20406fbbe7

SHA256
ea160fafb1bab5be66d189eefff3bb6b13f811b87fbdd5638e9575617751513b

SHA512
f6e98a1a121fbb34219d6fffe04e080f7f385c1c00a39e5ff3cff4013b8dfad68e2ecd6522f11ddba8d913b1eb286b2271843c58baa8ab48878f7d8353ce26d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oturaaa\oturaaa.exe

Filesize
632KB

MD5
2adb7449a29781086ca9fefb912f7597

SHA1
8bbb58bd5d195c5965d673820a418e20406fbbe7

SHA256
ea160fafb1bab5be66d189eefff3bb6b13f811b87fbdd5638e9575617751513b

SHA512
f6e98a1a121fbb34219d6fffe04e080f7f385c1c00a39e5ff3cff4013b8dfad68e2ecd6522f11ddba8d913b1eb286b2271843c58baa8ab48878f7d8353ce26d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oturaaa\oturaaa.exe

Filesize
632KB

MD5
2adb7449a29781086ca9fefb912f7597

SHA1
8bbb58bd5d195c5965d673820a418e20406fbbe7

SHA256
ea160fafb1bab5be66d189eefff3bb6b13f811b87fbdd5638e9575617751513b

SHA512
f6e98a1a121fbb34219d6fffe04e080f7f385c1c00a39e5ff3cff4013b8dfad68e2ecd6522f11ddba8d913b1eb286b2271843c58baa8ab48878f7d8353ce26d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oturaaa\oturaaa.vbs

Filesize
1024B

MD5
8c254fbd6a9183e388cb510059a11dd4

SHA1
79e292a390cd81eb843e65466e78d5c3a92e7a75

SHA256
1e9c0e9d8a3ddd025ba121c42a71120a9dd1f43d17010b6fa477191bca5dcce7

SHA512
7ca03fb3a4c92c1680405cd43b4f21066b3eef5cc1edfdaa996dd977828447e08abf4ce31b91ef6acb9263a6a92a146056418400b2f00d80f1fac5d04ad03951

Download Submit
\Users\Admin\AppData\Local\Temp\oturaaa\oturaaa.exe

Filesize
632KB

MD5
2adb7449a29781086ca9fefb912f7597

SHA1
8bbb58bd5d195c5965d673820a418e20406fbbe7

SHA256
ea160fafb1bab5be66d189eefff3bb6b13f811b87fbdd5638e9575617751513b

SHA512
f6e98a1a121fbb34219d6fffe04e080f7f385c1c00a39e5ff3cff4013b8dfad68e2ecd6522f11ddba8d913b1eb286b2271843c58baa8ab48878f7d8353ce26d8

Download Submit
\Users\Admin\AppData\Local\Temp\oturaaa\oturaaa.exe

Filesize
632KB

MD5
2adb7449a29781086ca9fefb912f7597

SHA1
8bbb58bd5d195c5965d673820a418e20406fbbe7

SHA256
ea160fafb1bab5be66d189eefff3bb6b13f811b87fbdd5638e9575617751513b

SHA512
f6e98a1a121fbb34219d6fffe04e080f7f385c1c00a39e5ff3cff4013b8dfad68e2ecd6522f11ddba8d913b1eb286b2271843c58baa8ab48878f7d8353ce26d8

Download Submit
\Users\Admin\AppData\Local\Temp\oturaaa\oturaaa.exe

Filesize
632KB

MD5
2adb7449a29781086ca9fefb912f7597

SHA1
8bbb58bd5d195c5965d673820a418e20406fbbe7

SHA256
ea160fafb1bab5be66d189eefff3bb6b13f811b87fbdd5638e9575617751513b

SHA512
f6e98a1a121fbb34219d6fffe04e080f7f385c1c00a39e5ff3cff4013b8dfad68e2ecd6522f11ddba8d913b1eb286b2271843c58baa8ab48878f7d8353ce26d8

Download Submit
memory/924-57-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/924-56-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1176-73-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1176-64-0x0000000000000000-mapping.dmp

Download
memory/1952-70-0x0000000000000000-mapping.dmp

Download
memory/1952-72-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-74-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1952-76-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-77-0x0000000000401000-0x000000000042C000-memory.dmp

Filesize
172KB

Download
memory/1952-78-0x0000000000401000-0x000000000042C000-memory.dmp

Filesize
172KB

Download
memory/1952-79-0x0000000000401000-0x000000000042C000-memory.dmp

Filesize
172KB

Download
memory/1952-80-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-81-0x0000000000401000-0x000000000042C000-memory.dmp

Filesize
172KB

Download
memory/2036-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads