netwire | 587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f

General

Target

587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe
Size

558KB
MD5

f131435dead0e37aee759622ababb51f
SHA1

3fb5bd52e8dc3bbc0a072ceda02255e8f9f4ea70
SHA256

587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f
SHA512

a16240153654064a65c32d17f9b8e6cb75924f37547b93b47a489aaa48a69a8c442947d1f559d1b9efc51a909f96f8e23a93f1bee721e6b2e7180dfcd938552f

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

173.46.85.16:89

Attributes

activex_autorun
true
activex_key
{J418T26D-3X70-W6QE-W00F-G37EOA6W8D23}
copy_executable
false
delete_original
true
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
fbbTJkoP
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
NetWire
use_mutex
true

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1160-62-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1160-68-0x00000000778A0000-0x0000000077A20000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{J418T26D-3X70-W6QE-W00F-G37EOA6W8D23}	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{J418T26D-3X70-W6QE-W00F-G37EOA6W8D23}\StubPath = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe\""	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe"	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

description	pid	process	target process
PID 1092 set thread context of 1160	1092	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

pid process

1092 587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

pid process

1160 587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

pid	process
1092	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

pid	process
1160	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

description	pid	process	target process
PID 1092 wrote to memory of 1160	1092	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe
PID 1092 wrote to memory of 1160	1092	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe
PID 1092 wrote to memory of 1160	1092	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe
PID 1092 wrote to memory of 1160	1092	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

C:\Users\Admin\AppData\Local\Temp\587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe
"C:\Users\Admin\AppData\Local\Temp\587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Local\Temp\587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe
C:\Users\Admin\AppData\Local\Temp\587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe"
2⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of UnmapMainImage
PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1092-56-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/1092-57-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1092-59-0x00000000778A0000-0x0000000077A20000-memory.dmp

Filesize
1.5MB

Download
memory/1160-58-0x0000000000479A26-mapping.dmp

Download
memory/1160-62-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1160-68-0x00000000778A0000-0x0000000077A20000-memory.dmp

Filesize
1.5MB

Download
memory/1160-69-0x00000000778A0000-0x0000000077A20000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads