netwire | 010299823d93a9793d8719f39876a45af3a9ad4fafbcda6c3ed31a94c9d4149a

General

Target

010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe
Size

4.1MB
MD5

982e96ee0c8fac7fec39c44a55530f4b
SHA1

1e1a1a19b74555371f8194d6eb2a6cc24b907c81
SHA256

010299823d93a9793d8719f39876a45af3a9ad4fafbcda6c3ed31a94c9d4149a
SHA512

df2c99f48bc1c4a8815f0de6fa343248679524c3c1569e1521e8ffe4c4ede6db126b117dc44b3bcb2f888259d723c55ccd6e1970ea4c85a5be70361d2fd29a1b

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

clients.enigmasolutions.xyz:54573

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
Cleint-%Rand%
install_path
%AppData%\Microsoft\MMC\ruj.exe
keylogger_dir
%AppData%\msr\
lock_executable
false
offline_keylogger
true
password
\tx>N(6H`Om2k/cWJBp,""bUbAd1-0Mg
registry_autorun
true
startup_name
ruj
use_mutex
false

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1944-57-0x0000000000080000-0x00000000000B0000-memory.dmp	netwire
behavioral1/memory/1944-58-0x000000000008242D-mapping.dmp	netwire
behavioral1/memory/1944-61-0x0000000000080000-0x00000000000B0000-memory.dmp	netwire
behavioral1/memory/1944-63-0x0000000000080000-0x00000000000B0000-memory.dmp	netwire
behavioral1/memory/836-73-0x000000000008242D-mapping.dmp	netwire
behavioral1/memory/836-77-0x0000000000080000-0x00000000000B0000-memory.dmp	netwire
behavioral1/memory/836-79-0x0000000000080000-0x00000000000B0000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

ruj.exeruj.exe

pid process

1432 ruj.exe
836 ruj.exe
Loads dropped DLL 1 IoCs

Processes:

010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe

pid process

1944 010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe

pid	process
1432	ruj.exe
836	ruj.exe

pid	process
1944	010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ruj.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MMC\\ruj.exe"	ruj.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	ruj.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exeruj.exe

description	pid	process	target process
PID 1088 set thread context of 1944	1088	010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe	010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe
PID 1432 set thread context of 836	1432	ruj.exe	ruj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exeruj.exe

description	pid	process	target process
PID 1088 wrote to memory of 1944	1088	010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe	010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe
PID 1088 wrote to memory of 1944	1088	010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe	010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe
PID 1088 wrote to memory of 1944	1088	010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe	010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe
PID 1088 wrote to memory of 1944	1088	010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe	010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe
PID 1088 wrote to memory of 1944	1088	010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe	010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe
PID 1088 wrote to memory of 1944	1088	010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe	010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe
PID 1944 wrote to memory of 1432	1944	010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe	ruj.exe
PID 1944 wrote to memory of 1432	1944	010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe	ruj.exe
PID 1944 wrote to memory of 1432	1944	010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe	ruj.exe
PID 1944 wrote to memory of 1432	1944	010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe	ruj.exe
PID 1432 wrote to memory of 836	1432	ruj.exe	ruj.exe
PID 1432 wrote to memory of 836	1432	ruj.exe	ruj.exe
PID 1432 wrote to memory of 836	1432	ruj.exe	ruj.exe
PID 1432 wrote to memory of 836	1432	ruj.exe	ruj.exe
PID 1432 wrote to memory of 836	1432	ruj.exe	ruj.exe
PID 1432 wrote to memory of 836	1432	ruj.exe	ruj.exe

C:\Users\Admin\AppData\Local\Temp\010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe
"C:\Users\Admin\AppData\Local\Temp\010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Local\Temp\010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe
C:\Users\Admin\AppData\Local\Temp\010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1432

C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe

Filesize
4.1MB

MD5
982e96ee0c8fac7fec39c44a55530f4b

SHA1
1e1a1a19b74555371f8194d6eb2a6cc24b907c81

SHA256
010299823d93a9793d8719f39876a45af3a9ad4fafbcda6c3ed31a94c9d4149a

SHA512
df2c99f48bc1c4a8815f0de6fa343248679524c3c1569e1521e8ffe4c4ede6db126b117dc44b3bcb2f888259d723c55ccd6e1970ea4c85a5be70361d2fd29a1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe

Filesize
4.1MB

MD5
982e96ee0c8fac7fec39c44a55530f4b

SHA1
1e1a1a19b74555371f8194d6eb2a6cc24b907c81

SHA256
010299823d93a9793d8719f39876a45af3a9ad4fafbcda6c3ed31a94c9d4149a

SHA512
df2c99f48bc1c4a8815f0de6fa343248679524c3c1569e1521e8ffe4c4ede6db126b117dc44b3bcb2f888259d723c55ccd6e1970ea4c85a5be70361d2fd29a1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe

Filesize
4.1MB

MD5
982e96ee0c8fac7fec39c44a55530f4b

SHA1
1e1a1a19b74555371f8194d6eb2a6cc24b907c81

SHA256
010299823d93a9793d8719f39876a45af3a9ad4fafbcda6c3ed31a94c9d4149a

SHA512
df2c99f48bc1c4a8815f0de6fa343248679524c3c1569e1521e8ffe4c4ede6db126b117dc44b3bcb2f888259d723c55ccd6e1970ea4c85a5be70361d2fd29a1b

Download Submit
C:\Users\Admin\AppData\Roaming\jxjsrxjrbvmpaigfoenobhofd17368.png

Filesize
395KB

MD5
dfdb01f362196682f96fc3c78fb1a4f9

SHA1
3caa29a05fb1580d917f3669d9f66dd21cce06e3

SHA256
156b1a588b4bb6f29ff072de3f0f658f0a1774341f13c26c2ac1e2ff65dbaf1a

SHA512
400e32f4213dc054d64c0af811a77ffa59f0852cbaa25a9db7db2753b428540b4819ff5d6886f2828f1d25547198a70fd1eee0389cf011061c60f9f73833ff33

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe

Filesize
4.1MB

MD5
982e96ee0c8fac7fec39c44a55530f4b

SHA1
1e1a1a19b74555371f8194d6eb2a6cc24b907c81

SHA256
010299823d93a9793d8719f39876a45af3a9ad4fafbcda6c3ed31a94c9d4149a

SHA512
df2c99f48bc1c4a8815f0de6fa343248679524c3c1569e1521e8ffe4c4ede6db126b117dc44b3bcb2f888259d723c55ccd6e1970ea4c85a5be70361d2fd29a1b

Download Submit
memory/836-79-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/836-77-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/836-73-0x000000000008242D-mapping.dmp

Download
memory/1088-62-0x0000000000AA1000-0x0000000000AB2000-memory.dmp

Filesize
68KB

Download
memory/1088-54-0x0000000076231000-0x0000000076233000-memory.dmp

Filesize
8KB

Download
memory/1432-65-0x0000000000000000-mapping.dmp

Download
memory/1432-78-0x00000000006F1000-0x0000000000702000-memory.dmp

Filesize
68KB

Download
memory/1944-63-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/1944-61-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/1944-58-0x000000000008242D-mapping.dmp

Download
memory/1944-57-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/1944-55-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads