netwire | 8d14cdd3d37291e30726d6a54012503a974d8b3a7107173f71b839cb4e679ebe

General

Target

Confirmation Slip.exe
Size

997KB
MD5

f39a843414e28e92bbc08f7f95f36b48
SHA1

fef5d5afb0c62b01b75d186f810edd876a98b088
SHA256

8d14cdd3d37291e30726d6a54012503a974d8b3a7107173f71b839cb4e679ebe
SHA512

5546ae7e33eb1a44b261e2df05b4fd31b9d6795443d623554753b0a31fb657cfd88c1ea8c35d971ab281225e22c5eb30699db222bcab57b48aa69076ee69a7c5

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

185.140.53.61:3363

185.140.53.61:3365

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
move4ward
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2012-66-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2012-67-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2012-68-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2012-70-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2012-71-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2012-72-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/2012-75-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2012-76-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2012-77-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Suspicious use of SetThreadContext 1 IoCs

Processes:

Confirmation Slip.exe

description pid process target process

PID 1108 set thread context of 2012 1108 Confirmation Slip.exe Confirmation Slip.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

544 schtasks.exe

description	pid	process	target process
PID 1108 set thread context of 2012	1108	Confirmation Slip.exe	Confirmation Slip.exe

pid	process
544	schtasks.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Confirmation Slip.exe

description	pid	process	target process
PID 1108 wrote to memory of 544	1108	Confirmation Slip.exe	schtasks.exe
PID 1108 wrote to memory of 544	1108	Confirmation Slip.exe	schtasks.exe
PID 1108 wrote to memory of 544	1108	Confirmation Slip.exe	schtasks.exe
PID 1108 wrote to memory of 544	1108	Confirmation Slip.exe	schtasks.exe
PID 1108 wrote to memory of 2012	1108	Confirmation Slip.exe	Confirmation Slip.exe
PID 1108 wrote to memory of 2012	1108	Confirmation Slip.exe	Confirmation Slip.exe
PID 1108 wrote to memory of 2012	1108	Confirmation Slip.exe	Confirmation Slip.exe
PID 1108 wrote to memory of 2012	1108	Confirmation Slip.exe	Confirmation Slip.exe
PID 1108 wrote to memory of 2012	1108	Confirmation Slip.exe	Confirmation Slip.exe
PID 1108 wrote to memory of 2012	1108	Confirmation Slip.exe	Confirmation Slip.exe
PID 1108 wrote to memory of 2012	1108	Confirmation Slip.exe	Confirmation Slip.exe
PID 1108 wrote to memory of 2012	1108	Confirmation Slip.exe	Confirmation Slip.exe
PID 1108 wrote to memory of 2012	1108	Confirmation Slip.exe	Confirmation Slip.exe
PID 1108 wrote to memory of 2012	1108	Confirmation Slip.exe	Confirmation Slip.exe
PID 1108 wrote to memory of 2012	1108	Confirmation Slip.exe	Confirmation Slip.exe
PID 1108 wrote to memory of 2012	1108	Confirmation Slip.exe	Confirmation Slip.exe

C:\Users\Admin\AppData\Local\Temp\Confirmation Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Confirmation Slip.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YPDRvcu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6B23.tmp"
2⤵
- Creates scheduled task(s)
PID:544

C:\Users\Admin\AppData\Local\Temp\Confirmation Slip.exe
"{path}"
2⤵
PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6B23.tmp

Filesize
1KB

MD5
95e7f1276d53180f62f04686651ea8ff

SHA1
7c72f3c1c8f4805e40d6dcfe32a410d4ae7f3812

SHA256
a68f4b04dd981a918b88d9904c8d969e96805cbb5828139b38d3214d8385aa89

SHA512
e81cff5174a005d3cea4bf9bdc54d445555b2e1648938a8775dde1030ce77226600e4c007487eac6ac807c8e3d608561f095d8ba805cc21be6d6b35426adeaba

Download Submit
memory/544-59-0x0000000000000000-mapping.dmp

Download
memory/1108-54-0x0000000000E90000-0x0000000000F90000-memory.dmp

Filesize
1024KB

Download
memory/1108-55-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1108-56-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/1108-57-0x0000000004DB0000-0x0000000004E2E000-memory.dmp

Filesize
504KB

Download
memory/1108-58-0x0000000000BA0000-0x0000000000BCE000-memory.dmp

Filesize
184KB

Download
memory/2012-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-72-0x000000000040242D-mapping.dmp

Download
memory/2012-75-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads