netwire | 531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd

General

Target

531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd.exe
Size

496KB
MD5

fdcba98bd00749989be31215bdabe387
SHA1

5745d0d17fff829c4b57fb568e9c9cc156207bac
SHA256

531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd
SHA512

5e93edb7bd175e63a16e431f7f50232fb79e2b7f403fee20cee6771e61301523456fd40a7ea8888f015c3a051ff70f7ed27baea10e702dab11044bd81b9459f1

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

duc1234.duckdns.org:32144

Attributes

activex_autorun
true
activex_key
{W3N34QB7-3Y7U-83S3-M151-LGEF68YQU5X6}
copy_executable
true
delete_original
false
host_id
nonsense
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
gbam1234
registry_autorun
true
startup_name
NetWire
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3060-142-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3060-141-0x0000000000400000-0x0000000000480000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

2684 Host.exe
3136 Host.exe

pid	process
2684	Host.exe
3136	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W3N34QB7-3Y7U-83S3-M151-LGEF68YQU5X6}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W3N34QB7-3Y7U-83S3-M151-LGEF68YQU5X6}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd.exeHost.exe

description	pid	process	target process
PID 2996 set thread context of 3060	2996	531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd.exe	531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd.exe
PID 2684 set thread context of 3136	2684	Host.exe	Host.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd.exeHost.exe

pid process

2996 531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd.exe
2684 Host.exe

pid	process
2996	531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd.exe
2684	Host.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd.exe531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd.exeHost.exe

description	pid	process	target process
PID 2996 wrote to memory of 3060	2996	531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd.exe	531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd.exe
PID 2996 wrote to memory of 3060	2996	531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd.exe	531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd.exe
PID 2996 wrote to memory of 3060	2996	531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd.exe	531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd.exe
PID 3060 wrote to memory of 2684	3060	531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd.exe	Host.exe
PID 3060 wrote to memory of 2684	3060	531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd.exe	Host.exe
PID 3060 wrote to memory of 2684	3060	531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd.exe	Host.exe
PID 2684 wrote to memory of 3136	2684	Host.exe	Host.exe
PID 2684 wrote to memory of 3136	2684	Host.exe	Host.exe
PID 2684 wrote to memory of 3136	2684	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd.exe
"C:\Users\Admin\AppData\Local\Temp\531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996

C:\Users\Admin\AppData\Local\Temp\531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd.exe
C:\Users\Admin\AppData\Local\Temp\531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Roaming\Install\Host.exe
C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:3136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
496KB

MD5
fdcba98bd00749989be31215bdabe387

SHA1
5745d0d17fff829c4b57fb568e9c9cc156207bac

SHA256
531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd

SHA512
5e93edb7bd175e63a16e431f7f50232fb79e2b7f403fee20cee6771e61301523456fd40a7ea8888f015c3a051ff70f7ed27baea10e702dab11044bd81b9459f1

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
496KB

MD5
fdcba98bd00749989be31215bdabe387

SHA1
5745d0d17fff829c4b57fb568e9c9cc156207bac

SHA256
531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd

SHA512
5e93edb7bd175e63a16e431f7f50232fb79e2b7f403fee20cee6771e61301523456fd40a7ea8888f015c3a051ff70f7ed27baea10e702dab11044bd81b9459f1

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
496KB

MD5
fdcba98bd00749989be31215bdabe387

SHA1
5745d0d17fff829c4b57fb568e9c9cc156207bac

SHA256
531dbae46b06b9e43cc0e4064ea3135bb1a91d763af0ee237221d884d14944bd

SHA512
5e93edb7bd175e63a16e431f7f50232fb79e2b7f403fee20cee6771e61301523456fd40a7ea8888f015c3a051ff70f7ed27baea10e702dab11044bd81b9459f1

Download Submit
memory/2684-157-0x0000000000760000-0x0000000000767000-memory.dmp

Filesize
28KB

Download
memory/2684-148-0x0000000000000000-mapping.dmp

Download
memory/2684-159-0x0000000077CB0000-0x0000000077E53000-memory.dmp

Filesize
1.6MB

Download
memory/2684-158-0x00007FFC89C50000-0x00007FFC89E45000-memory.dmp

Filesize
2.0MB

Download
memory/2996-132-0x0000000002230000-0x0000000002237000-memory.dmp

Filesize
28KB

Download
memory/2996-134-0x0000000002230000-0x0000000002237000-memory.dmp

Filesize
28KB

Download
memory/2996-136-0x0000000077CB0000-0x0000000077E53000-memory.dmp

Filesize
1.6MB

Download
memory/2996-135-0x00007FFC89C50000-0x00007FFC89E45000-memory.dmp

Filesize
2.0MB

Download
memory/3060-142-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3060-139-0x0000000000590000-0x0000000000597000-memory.dmp

Filesize
28KB

Download
memory/3060-151-0x00007FFC89C50000-0x00007FFC89E45000-memory.dmp

Filesize
2.0MB

Download
memory/3060-153-0x0000000077CB0000-0x0000000077E53000-memory.dmp

Filesize
1.6MB

Download
memory/3060-140-0x0000000077CB0000-0x0000000077E53000-memory.dmp

Filesize
1.6MB

Download
memory/3060-133-0x0000000000000000-mapping.dmp

Download
memory/3060-137-0x00007FFC89C50000-0x00007FFC89E45000-memory.dmp

Filesize
2.0MB

Download
memory/3060-141-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3060-138-0x0000000077CB0000-0x0000000077E53000-memory.dmp

Filesize
1.6MB

Download
memory/3136-155-0x0000000000000000-mapping.dmp

Download
memory/3136-167-0x00007FFC89C50000-0x00007FFC89E45000-memory.dmp

Filesize
2.0MB

Download
memory/3136-168-0x0000000077CB0000-0x0000000077E53000-memory.dmp

Filesize
1.6MB

Download
memory/3136-169-0x0000000002080000-0x0000000002087000-memory.dmp

Filesize
28KB

Download
memory/3136-170-0x0000000077CB0000-0x0000000077E53000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads