netwire | 2890e54b5f92a93286f1df01d7e2ea4e866637174e503914da848d69bc5cf1b9

General

Target

2890e54b5f92a93286f1df01d7e2ea4e866637174e503914da848d69bc5cf1b9.exe
Size

494KB
MD5

bba1a9dc9bb16a9166b4ad9af4f63b09
SHA1

515db743808b361180ff05ec79903c407f4c9081
SHA256

2890e54b5f92a93286f1df01d7e2ea4e866637174e503914da848d69bc5cf1b9
SHA512

d4487f60948630461def9fa07d1d2d2a2e88b4b4746c8523a943fb69366bc7778e10111d0bf501f29d921a3bea60bb6e0d61d44fa3a9836e85741275cfcff092

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

imglb.zapto.org:5934

bossback.camdvr.org:5934

Attributes

activex_autorun
true
activex_key
{8BD2JQU1-VOGH-J424-23XH-7A3M71HN7320}
copy_executable
true
delete_original
false
host_id
NEW
install_path
%AppData%\Install\chromes.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
BBtuYXdo
offline_keylogger
true
password
Hunter45
registry_autorun
true
startup_name
Opera
use_mutex
true

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX1\chrome.exe	netwire
C:\Users\Admin\AppData\Local\Temp\RarSFX1\chrome.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\chromes.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\chromes.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

chrome.sfx.exechrome.exechromes.exe

pid process

4128 chrome.sfx.exe
4224 chrome.exe
4940 chromes.exe

pid	process
4128	chrome.sfx.exe
4224	chrome.exe
4940	chromes.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chromes.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BD2JQU1-VOGH-J424-23XH-7A3M71HN7320}	chromes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BD2JQU1-VOGH-J424-23XH-7A3M71HN7320}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\chromes.exe\""	chromes.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.sfx.exe2890e54b5f92a93286f1df01d7e2ea4e866637174e503914da848d69bc5cf1b9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	chrome.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	2890e54b5f92a93286f1df01d7e2ea4e866637174e503914da848d69bc5cf1b9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chromes.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	chromes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\chromes.exe"	chromes.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2890e54b5f92a93286f1df01d7e2ea4e866637174e503914da848d69bc5cf1b9.execmd.exechrome.sfx.exechrome.exe

description	pid	process	target process
PID 5064 wrote to memory of 2344	5064	2890e54b5f92a93286f1df01d7e2ea4e866637174e503914da848d69bc5cf1b9.exe	cmd.exe
PID 5064 wrote to memory of 2344	5064	2890e54b5f92a93286f1df01d7e2ea4e866637174e503914da848d69bc5cf1b9.exe	cmd.exe
PID 5064 wrote to memory of 2344	5064	2890e54b5f92a93286f1df01d7e2ea4e866637174e503914da848d69bc5cf1b9.exe	cmd.exe
PID 2344 wrote to memory of 4128	2344	cmd.exe	chrome.sfx.exe
PID 2344 wrote to memory of 4128	2344	cmd.exe	chrome.sfx.exe
PID 2344 wrote to memory of 4128	2344	cmd.exe	chrome.sfx.exe
PID 4128 wrote to memory of 4224	4128	chrome.sfx.exe	chrome.exe
PID 4128 wrote to memory of 4224	4128	chrome.sfx.exe	chrome.exe
PID 4128 wrote to memory of 4224	4128	chrome.sfx.exe	chrome.exe
PID 4224 wrote to memory of 4940	4224	chrome.exe	chromes.exe
PID 4224 wrote to memory of 4940	4224	chrome.exe	chromes.exe
PID 4224 wrote to memory of 4940	4224	chrome.exe	chromes.exe

C:\Users\Admin\AppData\Local\Temp\2890e54b5f92a93286f1df01d7e2ea4e866637174e503914da848d69bc5cf1b9.exe
"C:\Users\Admin\AppData\Local\Temp\2890e54b5f92a93286f1df01d7e2ea4e866637174e503914da848d69bc5cf1b9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\vos.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2344

C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome.sfx.exe
chrome.sfx.exe -p126 -dC:\Users\Admin\AppData\Local\Temp
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4128

C:\Users\Admin\AppData\Local\Temp\RarSFX1\chrome.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\chrome.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224

C:\Users\Admin\AppData\Roaming\Install\chromes.exe
"C:\Users\Admin\AppData\Roaming\Install\chromes.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:4940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome.sfx.exe

Filesize
337KB

MD5
0e257769c93e5c3c50636503144d7ad9

SHA1
b4e043ac8dc49086d86ebee8bab740f1b2cd0031

SHA256
e70a691fde8a94eeff1e6e5967db71c4a319a2ccf2338f9f0fdacaed861cc3f2

SHA512
7b71792c4593bb3f0f70dc0be98889e421d97a928e681dba6681ea98688338d47cfd055426fd8f45f3d6b6259fffce7eeb7cd039c9d997995b066b858b1ecefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome.sfx.exe

Filesize
337KB

MD5
0e257769c93e5c3c50636503144d7ad9

SHA1
b4e043ac8dc49086d86ebee8bab740f1b2cd0031

SHA256
e70a691fde8a94eeff1e6e5967db71c4a319a2ccf2338f9f0fdacaed861cc3f2

SHA512
7b71792c4593bb3f0f70dc0be98889e421d97a928e681dba6681ea98688338d47cfd055426fd8f45f3d6b6259fffce7eeb7cd039c9d997995b066b858b1ecefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vos.bat

Filesize
29B

MD5
31d0a3247e5faa450b91e343001c5565

SHA1
54989c2d9cbaccd1ba7a36d10b4fe1f1f3af6b61

SHA256
04d48ec91886a6e0895578519bced0efe4fc7d8cccea0772c1f5dbaa688b3c65

SHA512
65da3994fab985629230b04622ce32f03bb2793061d5ac735ccec6445c55e63b25e8e53c7c9fe465a54164888e7faf2341b58a9813435de1d3fee131888eff7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\chrome.exe

Filesize
132KB

MD5
0d9fe3be07159e1ab3e38e113167084e

SHA1
2cb89079929d8410f59c61f4f490f6865067a450

SHA256
52017df49f2df45a38c8d03d27c4dcd2777ca5217cc950507c2a5daa71c67f19

SHA512
a6cf12afd16e20fc9b27bd2deab32a9830a2fdc204ef82ac52be7d2fcf89f2f14d60ca8fe494064c0d78769229f78511f3c943e107f0c4d264a57d4bf9f7e873

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\chrome.exe

Filesize
132KB

MD5
0d9fe3be07159e1ab3e38e113167084e

SHA1
2cb89079929d8410f59c61f4f490f6865067a450

SHA256
52017df49f2df45a38c8d03d27c4dcd2777ca5217cc950507c2a5daa71c67f19

SHA512
a6cf12afd16e20fc9b27bd2deab32a9830a2fdc204ef82ac52be7d2fcf89f2f14d60ca8fe494064c0d78769229f78511f3c943e107f0c4d264a57d4bf9f7e873

Download Submit
C:\Users\Admin\AppData\Roaming\Install\chromes.exe

Filesize
132KB

MD5
0d9fe3be07159e1ab3e38e113167084e

SHA1
2cb89079929d8410f59c61f4f490f6865067a450

SHA256
52017df49f2df45a38c8d03d27c4dcd2777ca5217cc950507c2a5daa71c67f19

SHA512
a6cf12afd16e20fc9b27bd2deab32a9830a2fdc204ef82ac52be7d2fcf89f2f14d60ca8fe494064c0d78769229f78511f3c943e107f0c4d264a57d4bf9f7e873

Download Submit
C:\Users\Admin\AppData\Roaming\Install\chromes.exe

Filesize
132KB

MD5
0d9fe3be07159e1ab3e38e113167084e

SHA1
2cb89079929d8410f59c61f4f490f6865067a450

SHA256
52017df49f2df45a38c8d03d27c4dcd2777ca5217cc950507c2a5daa71c67f19

SHA512
a6cf12afd16e20fc9b27bd2deab32a9830a2fdc204ef82ac52be7d2fcf89f2f14d60ca8fe494064c0d78769229f78511f3c943e107f0c4d264a57d4bf9f7e873

Download Submit
memory/2344-130-0x0000000000000000-mapping.dmp

Download
memory/4128-132-0x0000000000000000-mapping.dmp

Download
memory/4224-135-0x0000000000000000-mapping.dmp

Download
memory/4940-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads