netwire | 41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577

General

Target

41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
Size

656KB
MD5

714bcb747c559e227f47ea71a05fb52e
SHA1

f8b07712e284cd4c00c555ee07482be321749a0a
SHA256

41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577
SHA512

ae5eb450917afc8b2cf71c5db8d59e8b0e557cd1b7b80c19384f74678f61b03bed61ef6d6ccf60f36b89091cee5425dd4d43b16650a51788ac5a2b1852bd7569

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1532-66-0x0000000000400000-0x00000000004A4000-memory.dmp	netwire
behavioral1/memory/1532-67-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/1532-74-0x0000000000400000-0x00000000004A4000-memory.dmp	netwire
behavioral1/memory/1920-93-0x0000000000400000-0x00000000004A4000-memory.dmp	netwire
behavioral1/memory/1920-94-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/1920-101-0x0000000000400000-0x00000000004A4000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1940 Host.exe
1920 Host.exe

pid	process
1940	Host.exe
1920	Host.exe

Loads dropped DLL 2 IoCs

Processes:

41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe

pid	process
1532	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
1532	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exeHost.exeHost.exe

pid	process
916	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
1532	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
1532	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
1940	Host.exe
1920	Host.exe
1920	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exeHost.exe

description	pid	process	target process
PID 916 set thread context of 1532	916	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
PID 1940 set thread context of 1920	1940	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exeHost.exe

pid process

916 41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
1940 Host.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exeHost.exe

description	pid	process	target process
PID 916 wrote to memory of 1532	916	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
PID 916 wrote to memory of 1532	916	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
PID 916 wrote to memory of 1532	916	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
PID 916 wrote to memory of 1532	916	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
PID 1532 wrote to memory of 1940	1532	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe	Host.exe
PID 1532 wrote to memory of 1940	1532	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe	Host.exe
PID 1532 wrote to memory of 1940	1532	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe	Host.exe
PID 1532 wrote to memory of 1940	1532	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe	Host.exe
PID 1940 wrote to memory of 1920	1940	Host.exe	Host.exe
PID 1940 wrote to memory of 1920	1940	Host.exe	Host.exe
PID 1940 wrote to memory of 1920	1940	Host.exe	Host.exe
PID 1940 wrote to memory of 1920	1940	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
"C:\Users\Admin\AppData\Local\Temp\41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916

C:\Users\Admin\AppData\Local\Temp\41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
"C:\Users\Admin\AppData\Local\Temp\41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe"
2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
656KB

MD5
714bcb747c559e227f47ea71a05fb52e

SHA1
f8b07712e284cd4c00c555ee07482be321749a0a

SHA256
41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577

SHA512
ae5eb450917afc8b2cf71c5db8d59e8b0e557cd1b7b80c19384f74678f61b03bed61ef6d6ccf60f36b89091cee5425dd4d43b16650a51788ac5a2b1852bd7569

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
656KB

MD5
714bcb747c559e227f47ea71a05fb52e

SHA1
f8b07712e284cd4c00c555ee07482be321749a0a

SHA256
41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577

SHA512
ae5eb450917afc8b2cf71c5db8d59e8b0e557cd1b7b80c19384f74678f61b03bed61ef6d6ccf60f36b89091cee5425dd4d43b16650a51788ac5a2b1852bd7569

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
656KB

MD5
714bcb747c559e227f47ea71a05fb52e

SHA1
f8b07712e284cd4c00c555ee07482be321749a0a

SHA256
41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577

SHA512
ae5eb450917afc8b2cf71c5db8d59e8b0e557cd1b7b80c19384f74678f61b03bed61ef6d6ccf60f36b89091cee5425dd4d43b16650a51788ac5a2b1852bd7569

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
656KB

MD5
714bcb747c559e227f47ea71a05fb52e

SHA1
f8b07712e284cd4c00c555ee07482be321749a0a

SHA256
41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577

SHA512
ae5eb450917afc8b2cf71c5db8d59e8b0e557cd1b7b80c19384f74678f61b03bed61ef6d6ccf60f36b89091cee5425dd4d43b16650a51788ac5a2b1852bd7569

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
656KB

MD5
714bcb747c559e227f47ea71a05fb52e

SHA1
f8b07712e284cd4c00c555ee07482be321749a0a

SHA256
41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577

SHA512
ae5eb450917afc8b2cf71c5db8d59e8b0e557cd1b7b80c19384f74678f61b03bed61ef6d6ccf60f36b89091cee5425dd4d43b16650a51788ac5a2b1852bd7569

Download Submit
memory/916-57-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/916-58-0x0000000076E60000-0x0000000077009000-memory.dmp

Filesize
1.7MB

Download
memory/916-59-0x0000000077040000-0x00000000771C0000-memory.dmp

Filesize
1.5MB

Download
memory/916-62-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/916-63-0x0000000077040000-0x00000000771C0000-memory.dmp

Filesize
1.5MB

Download
memory/916-56-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/1532-66-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1532-61-0x0000000000413105-mapping.dmp

Download
memory/1532-74-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1532-73-0x0000000076E60000-0x0000000077009000-memory.dmp

Filesize
1.7MB

Download
memory/1532-79-0x00000000002A0000-0x00000000002AE000-memory.dmp

Filesize
56KB

Download
memory/1532-82-0x0000000077040000-0x00000000771C0000-memory.dmp

Filesize
1.5MB

Download
memory/1532-67-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1920-87-0x0000000000413105-mapping.dmp

Download
memory/1920-93-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1920-94-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1920-100-0x0000000076E60000-0x0000000077009000-memory.dmp

Filesize
1.7MB

Download
memory/1920-101-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1920-102-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/1940-85-0x0000000076E60000-0x0000000077009000-memory.dmp

Filesize
1.7MB

Download
memory/1940-89-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/1940-77-0x0000000000000000-mapping.dmp

Download
memory/1940-90-0x0000000077040000-0x00000000771C0000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads