netwire | 5eed016d16ed7abb1ee84e19da014d366e2de316a8e938dc318c22fa33ae1939

General

Target

5eed016d16ed7abb1ee84e19da014d366e2de316a8e938dc318c22fa33ae1939.exe
Size

1.1MB
MD5

a166cf965631b35753a21c0753ba6636
SHA1

8bbe0fd326a908e8cef75cb1cfdaf23e7c60bc46
SHA256

5eed016d16ed7abb1ee84e19da014d366e2de316a8e938dc318c22fa33ae1939
SHA512

a6626353c1335fc894c1a345176eeb779f161b20832fb2ba75a04fc66672127289a1dba407c7ea45d9b4bab0030dbeb5f18d888dd5a2da1f7ffeedc15adcbeb1

Score

10^/10

netwire botnet persistence rat stealer upx

Malware Config

Extracted

Family

netwire

C2

95.167.151.235:8973

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3032-77-0x0000000000402BCB-mapping.dmp	netwire
behavioral1/memory/3032-76-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/3032-82-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/3032-83-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

TVoood.exe

pid process

1372 TVoood.exe

pid	process
1372	TVoood.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1940-55-0x0000000000400000-0x000000000063C000-memory.dmp	upx
behavioral1/memory/1940-60-0x0000000000400000-0x000000000063C000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

5eed016d16ed7abb1ee84e19da014d366e2de316a8e938dc318c22fa33ae1939.exe

pid	process
1940	5eed016d16ed7abb1ee84e19da014d366e2de316a8e938dc318c22fa33ae1939.exe
1940	5eed016d16ed7abb1ee84e19da014d366e2de316a8e938dc318c22fa33ae1939.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wsmprovhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaguvj = "C:\\Users\\Admin\\AppData\\Local\\xaguvj\\xaguvj.vbs"	wsmprovhost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wsmprovhost.exe

description pid process target process

PID 1744 set thread context of 3032 1744 wsmprovhost.exe wsmprovhost.exe

description	pid	process	target process
PID 1744 set thread context of 3032	1744	wsmprovhost.exe	wsmprovhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5eed016d16ed7abb1ee84e19da014d366e2de316a8e938dc318c22fa33ae1939.exeTVoood.exe

description	pid	process	target process
PID 1940 wrote to memory of 1372	1940	5eed016d16ed7abb1ee84e19da014d366e2de316a8e938dc318c22fa33ae1939.exe	TVoood.exe
PID 1940 wrote to memory of 1372	1940	5eed016d16ed7abb1ee84e19da014d366e2de316a8e938dc318c22fa33ae1939.exe	TVoood.exe
PID 1940 wrote to memory of 1372	1940	5eed016d16ed7abb1ee84e19da014d366e2de316a8e938dc318c22fa33ae1939.exe	TVoood.exe
PID 1940 wrote to memory of 1372	1940	5eed016d16ed7abb1ee84e19da014d366e2de316a8e938dc318c22fa33ae1939.exe	TVoood.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe
PID 1372 wrote to memory of 1744	1372	TVoood.exe	wsmprovhost.exe

C:\Users\Admin\AppData\Local\Temp\5eed016d16ed7abb1ee84e19da014d366e2de316a8e938dc318c22fa33ae1939.exe
"C:\Users\Admin\AppData\Local\Temp\5eed016d16ed7abb1ee84e19da014d366e2de316a8e938dc318c22fa33ae1939.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\TVoood.exe
C:\Users\Admin\AppData\Local\TVoood.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\wsmprovhost.exe
wsmprovhost.exe
3⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1744

C:\Windows\SysWOW64\wsmprovhost.exe
"C:\Windows\SysWOW64\wsmprovhost.exe"
4⤵
PID:3032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Ass.bmp

Filesize
773KB

MD5
23203ba1782a28c8f4484a409344be06

SHA1
402c48a6b12c4009115190fcfbd00081a3af3128

SHA256
02e4da182cbb41f59c5cb5c9e2a9ba4262ef305e052207928e8fca5d16d0b549

SHA512
b774fe55c8258d00be92a3ae177771fe6ed58db039e29f07e1f78e63f3dbf79146764fc9ec6cff30b4a6f3b4473a786e1d9367a0d2ddec5356e028e9d2f08f70

Download Submit
C:\Users\Admin\AppData\Local\TVoood.exe

Filesize
445KB

MD5
36d93f874f3758a6e5b3de260679f24b

SHA1
9251c3134f569363331dc70db6c74a0f0413c4ba

SHA256
81b980813969b6f3334331f80194db92088f144ffd0f0c74294a7a92b8e6b8a9

SHA512
350d86e842a951762a9f086d775be7cf61a62ac6a04851b16cb5544f148aa9d0c70c1fb1c15ed723b9908d015ea3990081303107e42b460884f8839e58954c18

Download Submit
C:\Users\Admin\AppData\Local\TVoood.exe

Filesize
445KB

MD5
36d93f874f3758a6e5b3de260679f24b

SHA1
9251c3134f569363331dc70db6c74a0f0413c4ba

SHA256
81b980813969b6f3334331f80194db92088f144ffd0f0c74294a7a92b8e6b8a9

SHA512
350d86e842a951762a9f086d775be7cf61a62ac6a04851b16cb5544f148aa9d0c70c1fb1c15ed723b9908d015ea3990081303107e42b460884f8839e58954c18

Download Submit
\Users\Admin\AppData\Local\TVoood.exe

Filesize
445KB

MD5
36d93f874f3758a6e5b3de260679f24b

SHA1
9251c3134f569363331dc70db6c74a0f0413c4ba

SHA256
81b980813969b6f3334331f80194db92088f144ffd0f0c74294a7a92b8e6b8a9

SHA512
350d86e842a951762a9f086d775be7cf61a62ac6a04851b16cb5544f148aa9d0c70c1fb1c15ed723b9908d015ea3990081303107e42b460884f8839e58954c18

Download Submit
\Users\Admin\AppData\Local\TVoood.exe

Filesize
445KB

MD5
36d93f874f3758a6e5b3de260679f24b

SHA1
9251c3134f569363331dc70db6c74a0f0413c4ba

SHA256
81b980813969b6f3334331f80194db92088f144ffd0f0c74294a7a92b8e6b8a9

SHA512
350d86e842a951762a9f086d775be7cf61a62ac6a04851b16cb5544f148aa9d0c70c1fb1c15ed723b9908d015ea3990081303107e42b460884f8839e58954c18

Download Submit
memory/1372-58-0x0000000000000000-mapping.dmp

Download
memory/1372-65-0x0000000010410000-0x00000000104B8000-memory.dmp

Filesize
672KB

Download
memory/1744-64-0x0000000000000000-mapping.dmp

Download
memory/1744-72-0x0000000010410000-0x00000000104B8000-memory.dmp

Filesize
672KB

Download
memory/1744-80-0x0000000010410000-0x00000000104B8000-memory.dmp

Filesize
672KB

Download
memory/1744-84-0x0000000010410000-0x00000000104B8000-memory.dmp

Filesize
672KB

Download
memory/1940-54-0x0000000076A21000-0x0000000076A23000-memory.dmp

Filesize
8KB

Download
memory/1940-60-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/1940-55-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/3032-74-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3032-77-0x0000000000402BCB-mapping.dmp

Download
memory/3032-76-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3032-82-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3032-83-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads