netwire | 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574

General

Target

3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe
Size

626KB
MD5

d2b8bfc68681f6e58838eff7a2cb33c0
SHA1

1c365788f6d248efea2a1a7f574efd610866deff
SHA256

3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574
SHA512

6eeb7aa28dd1a038d8cf87b50c7bc46496cbb6e0b2181ea01bf9b0c0b3601229f84845a6025a21357b2fede93ac34ead37fd96809b0f914f89cae7ca4f43a6dc

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

185.101.93.198:8681

185.101.93.198:9691

89.46.223.154:8585

89.46.223.154:1194

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1344-76-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1344-82-0x0000000077570000-0x00000000776F0000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

plesk.exeplesk.exe

pid process

1548 plesk.exe
1344 plesk.exe

pid	process
1548	plesk.exe
1344	plesk.exe

Loads dropped DLL 3 IoCs

Processes:

3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exeplesk.exe

pid	process
1080	3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe
1080	3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe
1548	plesk.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\AHDSKD87372930473JNDKSKSNSBG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\plesk\\plesk.vbs -FF"	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

plesk.exe

description pid process target process

PID 1548 set thread context of 1344 1548 plesk.exe plesk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exeplesk.exe

pid process

1080 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe
1548 plesk.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

plesk.exe

pid process

1344 plesk.exe

description	pid	process	target process
PID 1548 set thread context of 1344	1548	plesk.exe	plesk.exe

pid	process
1344	plesk.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exeplesk.exe

description	pid	process	target process
PID 1080 wrote to memory of 964	1080	3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe	WScript.exe
PID 1080 wrote to memory of 964	1080	3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe	WScript.exe
PID 1080 wrote to memory of 964	1080	3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe	WScript.exe
PID 1080 wrote to memory of 964	1080	3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe	WScript.exe
PID 1080 wrote to memory of 1548	1080	3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe	plesk.exe
PID 1080 wrote to memory of 1548	1080	3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe	plesk.exe
PID 1080 wrote to memory of 1548	1080	3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe	plesk.exe
PID 1080 wrote to memory of 1548	1080	3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe	plesk.exe
PID 1548 wrote to memory of 1344	1548	plesk.exe	plesk.exe
PID 1548 wrote to memory of 1344	1548	plesk.exe	plesk.exe
PID 1548 wrote to memory of 1344	1548	plesk.exe	plesk.exe
PID 1548 wrote to memory of 1344	1548	plesk.exe	plesk.exe

C:\Users\Admin\AppData\Local\Temp\3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe
"C:\Users\Admin\AppData\Local\Temp\3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\plesk\plesk.vbs"
2⤵
- Adds Run key to start application
PID:964

C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exe
"C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exe
C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exe"
3⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exe
Filesize
626KB

MD5
d2b8bfc68681f6e58838eff7a2cb33c0

SHA1
1c365788f6d248efea2a1a7f574efd610866deff

SHA256
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574

SHA512
6eeb7aa28dd1a038d8cf87b50c7bc46496cbb6e0b2181ea01bf9b0c0b3601229f84845a6025a21357b2fede93ac34ead37fd96809b0f914f89cae7ca4f43a6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exe
Filesize
626KB

MD5
d2b8bfc68681f6e58838eff7a2cb33c0

SHA1
1c365788f6d248efea2a1a7f574efd610866deff

SHA256
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574

SHA512
6eeb7aa28dd1a038d8cf87b50c7bc46496cbb6e0b2181ea01bf9b0c0b3601229f84845a6025a21357b2fede93ac34ead37fd96809b0f914f89cae7ca4f43a6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exe
Filesize
626KB

MD5
d2b8bfc68681f6e58838eff7a2cb33c0

SHA1
1c365788f6d248efea2a1a7f574efd610866deff

SHA256
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574

SHA512
6eeb7aa28dd1a038d8cf87b50c7bc46496cbb6e0b2181ea01bf9b0c0b3601229f84845a6025a21357b2fede93ac34ead37fd96809b0f914f89cae7ca4f43a6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\plesk\plesk.vbs
Filesize
1024B

MD5
f964ef1908684af0edaffac5e9be4e20

SHA1
65b65b4a3398ab4cdd0c4ab1db6eb25f6172cb2c

SHA256
bba4125f2fabc793609bec64ec8e26c920a2e4213b4eeab3fac338bb716e9143

SHA512
26cfd088e96766041ace82a7483cc620eb8ccf7765b6b9f7e987c2eb18561ee895c7f6e66d90712e8d50a88c87a35a3266a1db5829bb1ff0b749af9791a5eda1

Download Submit
\Users\Admin\AppData\Local\Temp\plesk\plesk.exe
Filesize
626KB

MD5
d2b8bfc68681f6e58838eff7a2cb33c0

SHA1
1c365788f6d248efea2a1a7f574efd610866deff

SHA256
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574

SHA512
6eeb7aa28dd1a038d8cf87b50c7bc46496cbb6e0b2181ea01bf9b0c0b3601229f84845a6025a21357b2fede93ac34ead37fd96809b0f914f89cae7ca4f43a6dc

Download Submit
\Users\Admin\AppData\Local\Temp\plesk\plesk.exe
Filesize
626KB

MD5
d2b8bfc68681f6e58838eff7a2cb33c0

SHA1
1c365788f6d248efea2a1a7f574efd610866deff

SHA256
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574

SHA512
6eeb7aa28dd1a038d8cf87b50c7bc46496cbb6e0b2181ea01bf9b0c0b3601229f84845a6025a21357b2fede93ac34ead37fd96809b0f914f89cae7ca4f43a6dc

Download Submit
\Users\Admin\AppData\Local\Temp\plesk\plesk.exe
Filesize
626KB

MD5
d2b8bfc68681f6e58838eff7a2cb33c0

SHA1
1c365788f6d248efea2a1a7f574efd610866deff

SHA256
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574

SHA512
6eeb7aa28dd1a038d8cf87b50c7bc46496cbb6e0b2181ea01bf9b0c0b3601229f84845a6025a21357b2fede93ac34ead37fd96809b0f914f89cae7ca4f43a6dc

Download Submit
memory/964-58-0x0000000000000000-mapping.dmp

Download
memory/1080-65-0x0000000077570000-0x00000000776F0000-memory.dmp

Filesize
1.5MB

Download
memory/1080-56-0x00000000752D1000-0x00000000752D3000-memory.dmp

Filesize
8KB

Download
memory/1080-57-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/1344-71-0x000000000047F08E-mapping.dmp

Download
memory/1344-76-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1344-82-0x0000000077570000-0x00000000776F0000-memory.dmp

Filesize
1.5MB

Download
memory/1344-83-0x0000000077570000-0x00000000776F0000-memory.dmp

Filesize
1.5MB

Download
memory/1548-62-0x0000000000000000-mapping.dmp

Download
memory/1548-73-0x0000000077570000-0x00000000776F0000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads