netwire | 3e0f6cacce5c9bb96d68914bbe5af3a4850988c562d236392fb99814456db40b

General

Target

3e0f6cacce5c9bb96d68914bbe5af3a4850988c562d236392fb99814456db40b.exe
Size

504KB
MD5

ca2b658c2635de5b50eaf2a9db941da5
SHA1

6b69f3a7437cc4aff6fbed6c7290c5d67811964d
SHA256

3e0f6cacce5c9bb96d68914bbe5af3a4850988c562d236392fb99814456db40b
SHA512

79ae2c412892baa2dea2168d662ec373bbd6ea07efd46289c4ccf920715459aa5452209baf4ad9cfab44f57014d66f07295680b81cfc9a1971d26514f4092db3

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

ddns.catamosky.biz:4668

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
JULY
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Trinidado1@
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4488-141-0x0000000000000000-mapping.dmp	netwire
behavioral2/memory/4488-144-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4488-145-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4488-146-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

4740 vbc.exe
4488 vbc.exe

pid	process
4740	vbc.exe
4488	vbc.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3e0f6cacce5c9bb96d68914bbe5af3a4850988c562d236392fb99814456db40b.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3e0f6cacce5c9bb96d68914bbe5af3a4850988c562d236392fb99814456db40b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	WScript.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vbc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skype\\vbc.vbs"	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

3e0f6cacce5c9bb96d68914bbe5af3a4850988c562d236392fb99814456db40b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	3e0f6cacce5c9bb96d68914bbe5af3a4850988c562d236392fb99814456db40b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3e0f6cacce5c9bb96d68914bbe5af3a4850988c562d236392fb99814456db40b.exevbc.exe

pid process

2424 3e0f6cacce5c9bb96d68914bbe5af3a4850988c562d236392fb99814456db40b.exe
4740 vbc.exe

pid	process
2424	3e0f6cacce5c9bb96d68914bbe5af3a4850988c562d236392fb99814456db40b.exe
4740	vbc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

3e0f6cacce5c9bb96d68914bbe5af3a4850988c562d236392fb99814456db40b.exeWScript.exevbc.exe

description	pid	process	target process
PID 2424 wrote to memory of 4388	2424	3e0f6cacce5c9bb96d68914bbe5af3a4850988c562d236392fb99814456db40b.exe	WScript.exe
PID 2424 wrote to memory of 4388	2424	3e0f6cacce5c9bb96d68914bbe5af3a4850988c562d236392fb99814456db40b.exe	WScript.exe
PID 2424 wrote to memory of 4388	2424	3e0f6cacce5c9bb96d68914bbe5af3a4850988c562d236392fb99814456db40b.exe	WScript.exe
PID 4388 wrote to memory of 4740	4388	WScript.exe	vbc.exe
PID 4388 wrote to memory of 4740	4388	WScript.exe	vbc.exe
PID 4388 wrote to memory of 4740	4388	WScript.exe	vbc.exe
PID 4740 wrote to memory of 4488	4740	vbc.exe	vbc.exe
PID 4740 wrote to memory of 4488	4740	vbc.exe	vbc.exe
PID 4740 wrote to memory of 4488	4740	vbc.exe	vbc.exe
PID 4740 wrote to memory of 4488	4740	vbc.exe	vbc.exe
PID 4740 wrote to memory of 4488	4740	vbc.exe	vbc.exe
PID 4740 wrote to memory of 4488	4740	vbc.exe	vbc.exe
PID 4740 wrote to memory of 4488	4740	vbc.exe	vbc.exe
PID 4740 wrote to memory of 4488	4740	vbc.exe	vbc.exe
PID 4740 wrote to memory of 4488	4740	vbc.exe	vbc.exe
PID 4740 wrote to memory of 4488	4740	vbc.exe	vbc.exe
PID 4740 wrote to memory of 4488	4740	vbc.exe	vbc.exe
PID 4740 wrote to memory of 4488	4740	vbc.exe	vbc.exe
PID 4740 wrote to memory of 4488	4740	vbc.exe	vbc.exe
PID 4740 wrote to memory of 4488	4740	vbc.exe	vbc.exe
PID 4740 wrote to memory of 4488	4740	vbc.exe	vbc.exe
PID 4740 wrote to memory of 4488	4740	vbc.exe	vbc.exe
PID 4740 wrote to memory of 4488	4740	vbc.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\3e0f6cacce5c9bb96d68914bbe5af3a4850988c562d236392fb99814456db40b.exe
"C:\Users\Admin\AppData\Local\Temp\3e0f6cacce5c9bb96d68914bbe5af3a4850988c562d236392fb99814456db40b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\skype\vbc.vbs"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4388

C:\Users\Admin\AppData\Local\Temp\skype\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\skype\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4740

C:\Users\Admin\AppData\Local\Temp\skype\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\skype\vbc.exe"
4⤵
- Executes dropped EXE
PID:4488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\skype\vbc.exe

Filesize
504KB

MD5
8c7109c8ad93bf6b87f46a5457059dd4

SHA1
467e4b4bfcf01500296e13a325ac2820e9e43123

SHA256
c8472b111712a4d8d9533347d463cd07d293d924928d80c3ebb65d6d3984fe3b

SHA512
39616a63bb55a9a313fc80e50866796264c575f37a97a41c7d7ed0e420025a0caa8c5b1b81dbce86bb5924894aabb0aae92eb5f99c119178429a084b37c7dd21

Download Submit
C:\Users\Admin\AppData\Local\Temp\skype\vbc.exe

Filesize
504KB

MD5
8c7109c8ad93bf6b87f46a5457059dd4

SHA1
467e4b4bfcf01500296e13a325ac2820e9e43123

SHA256
c8472b111712a4d8d9533347d463cd07d293d924928d80c3ebb65d6d3984fe3b

SHA512
39616a63bb55a9a313fc80e50866796264c575f37a97a41c7d7ed0e420025a0caa8c5b1b81dbce86bb5924894aabb0aae92eb5f99c119178429a084b37c7dd21

Download Submit
C:\Users\Admin\AppData\Local\Temp\skype\vbc.exe

Filesize
504KB

MD5
8c7109c8ad93bf6b87f46a5457059dd4

SHA1
467e4b4bfcf01500296e13a325ac2820e9e43123

SHA256
c8472b111712a4d8d9533347d463cd07d293d924928d80c3ebb65d6d3984fe3b

SHA512
39616a63bb55a9a313fc80e50866796264c575f37a97a41c7d7ed0e420025a0caa8c5b1b81dbce86bb5924894aabb0aae92eb5f99c119178429a084b37c7dd21

Download Submit
C:\Users\Admin\AppData\Local\Temp\skype\vbc.vbs

Filesize
1024B

MD5
d58ccde93895be5c0959350635722206

SHA1
a503b4724a27885da1d873d765eafa6881e1a000

SHA256
8dbb89ec1dccff9010457f47b53a62d7d2164948cf2b45c60ac00b39666ab970

SHA512
bb06d33b038e9b8cbf2cdc231c9e4f82281e33b3da45d3f15d39d4d48ce38c20fe41386d3239bd1ab34301047734adb9a3c26f1101dd73c9ba855264345dc098

Download Submit
memory/2424-133-0x0000000000790000-0x0000000000796000-memory.dmp

Filesize
24KB

Download
memory/4388-134-0x0000000000000000-mapping.dmp

Download
memory/4488-141-0x0000000000000000-mapping.dmp

Download
memory/4488-144-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4488-145-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4488-146-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4740-137-0x0000000000000000-mapping.dmp

Download
memory/4740-143-0x00000000020F0000-0x00000000020F6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads