netwire | 50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058

General

Target

50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
Size

740KB
MD5

a1b23f02659dab7b195e78a08d5847ca
SHA1

8a51e9c00629ded57754e400d6344c018ab0183a
SHA256

50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058
SHA512

227b9753bda1d150b287fc4da824416e266aadc35212a037eb4665cb9895c267c07fc3be3505039136832a08c93ac03ea28b7a22e3ba7a0a1f94f052a4a99d05

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

amz1.hackermind.info:3360

Attributes

activex_autorun
true
activex_key
{O5IC1RX5-17QA-4B21-K563-M1NR4O07C3VQ}
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
NetWire
use_mutex
false

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1904-58-0x0000000000000000-mapping.dmp	netwire
behavioral1/memory/1904-60-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1904-62-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1904-67-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/844-72-0x0000000000000000-mapping.dmp	netwire
behavioral1/memory/844-76-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/844-77-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/844-78-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1384 Host.exe
844 Host.exe

pid	process
1384	Host.exe
844	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O5IC1RX5-17QA-4B21-K563-M1NR4O07C3VQ}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O5IC1RX5-17QA-4B21-K563-M1NR4O07C3VQ}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Deletes itself 1 IoCs

Processes:

Host.exe

pid process

844 Host.exe

pid	process
844	Host.exe

Loads dropped DLL 2 IoCs

Processes:

50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe

pid	process
1904	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
1904	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exeHost.exe

pid process

1972 50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
1384 Host.exe

pid	process
1972	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
1384	Host.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exeHost.exe

description	pid	process	target process
PID 1972 wrote to memory of 1904	1972	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
PID 1972 wrote to memory of 1904	1972	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
PID 1972 wrote to memory of 1904	1972	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
PID 1972 wrote to memory of 1904	1972	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
PID 1972 wrote to memory of 1904	1972	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
PID 1972 wrote to memory of 1904	1972	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
PID 1972 wrote to memory of 1904	1972	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
PID 1972 wrote to memory of 1904	1972	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
PID 1972 wrote to memory of 1904	1972	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
PID 1972 wrote to memory of 1904	1972	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
PID 1972 wrote to memory of 1904	1972	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
PID 1972 wrote to memory of 1904	1972	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
PID 1972 wrote to memory of 1904	1972	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
PID 1972 wrote to memory of 1904	1972	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
PID 1972 wrote to memory of 1904	1972	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
PID 1972 wrote to memory of 1904	1972	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
PID 1972 wrote to memory of 1904	1972	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
PID 1972 wrote to memory of 1904	1972	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
PID 1904 wrote to memory of 1384	1904	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe	Host.exe
PID 1904 wrote to memory of 1384	1904	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe	Host.exe
PID 1904 wrote to memory of 1384	1904	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe	Host.exe
PID 1904 wrote to memory of 1384	1904	50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe	Host.exe
PID 1384 wrote to memory of 844	1384	Host.exe	Host.exe
PID 1384 wrote to memory of 844	1384	Host.exe	Host.exe
PID 1384 wrote to memory of 844	1384	Host.exe	Host.exe
PID 1384 wrote to memory of 844	1384	Host.exe	Host.exe
PID 1384 wrote to memory of 844	1384	Host.exe	Host.exe
PID 1384 wrote to memory of 844	1384	Host.exe	Host.exe
PID 1384 wrote to memory of 844	1384	Host.exe	Host.exe
PID 1384 wrote to memory of 844	1384	Host.exe	Host.exe
PID 1384 wrote to memory of 844	1384	Host.exe	Host.exe
PID 1384 wrote to memory of 844	1384	Host.exe	Host.exe
PID 1384 wrote to memory of 844	1384	Host.exe	Host.exe
PID 1384 wrote to memory of 844	1384	Host.exe	Host.exe
PID 1384 wrote to memory of 844	1384	Host.exe	Host.exe
PID 1384 wrote to memory of 844	1384	Host.exe	Host.exe
PID 1384 wrote to memory of 844	1384	Host.exe	Host.exe
PID 1384 wrote to memory of 844	1384	Host.exe	Host.exe
PID 1384 wrote to memory of 844	1384	Host.exe	Host.exe
PID 1384 wrote to memory of 844	1384	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
"C:\Users\Admin\AppData\Local\Temp\50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
"C:\Users\Admin\AppData\Local\Temp\50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Roaming\Install\Host.exe
-m "C:\Users\Admin\AppData\Local\Temp\50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Roaming\Install\Host.exe
-m "C:\Users\Admin\AppData\Local\Temp\50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Deletes itself
- Adds Run key to start application
PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
740KB

MD5
a1b23f02659dab7b195e78a08d5847ca

SHA1
8a51e9c00629ded57754e400d6344c018ab0183a

SHA256
50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058

SHA512
227b9753bda1d150b287fc4da824416e266aadc35212a037eb4665cb9895c267c07fc3be3505039136832a08c93ac03ea28b7a22e3ba7a0a1f94f052a4a99d05

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
740KB

MD5
a1b23f02659dab7b195e78a08d5847ca

SHA1
8a51e9c00629ded57754e400d6344c018ab0183a

SHA256
50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058

SHA512
227b9753bda1d150b287fc4da824416e266aadc35212a037eb4665cb9895c267c07fc3be3505039136832a08c93ac03ea28b7a22e3ba7a0a1f94f052a4a99d05

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
740KB

MD5
a1b23f02659dab7b195e78a08d5847ca

SHA1
8a51e9c00629ded57754e400d6344c018ab0183a

SHA256
50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058

SHA512
227b9753bda1d150b287fc4da824416e266aadc35212a037eb4665cb9895c267c07fc3be3505039136832a08c93ac03ea28b7a22e3ba7a0a1f94f052a4a99d05

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
740KB

MD5
a1b23f02659dab7b195e78a08d5847ca

SHA1
8a51e9c00629ded57754e400d6344c018ab0183a

SHA256
50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058

SHA512
227b9753bda1d150b287fc4da824416e266aadc35212a037eb4665cb9895c267c07fc3be3505039136832a08c93ac03ea28b7a22e3ba7a0a1f94f052a4a99d05

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
740KB

MD5
a1b23f02659dab7b195e78a08d5847ca

SHA1
8a51e9c00629ded57754e400d6344c018ab0183a

SHA256
50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058

SHA512
227b9753bda1d150b287fc4da824416e266aadc35212a037eb4665cb9895c267c07fc3be3505039136832a08c93ac03ea28b7a22e3ba7a0a1f94f052a4a99d05

Download Submit
memory/844-72-0x0000000000000000-mapping.dmp

Download
memory/844-78-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/844-77-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/844-76-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1384-65-0x0000000000000000-mapping.dmp

Download
memory/1904-67-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1904-60-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1904-58-0x0000000000000000-mapping.dmp

Download
memory/1904-62-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1972-57-0x0000000076631000-0x0000000076633000-memory.dmp

Filesize
8KB

Download
memory/1972-56-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/1972-59-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads