netwire | bea60e5ba81781d9ce1b148dcd77412da965d93730bf8f2608c7b077f07e68ca

General

Target

bea60e5ba81781d9ce1b148dcd77412da965d93730bf8f2608c7b077f07e68ca.exe
Size

1.2MB
MD5

1c1dc513c93df358bbfe566a37b32359
SHA1

7281a9babd20a1a5a48ace5fdefa558603c55152
SHA256

bea60e5ba81781d9ce1b148dcd77412da965d93730bf8f2608c7b077f07e68ca
SHA512

fa2fc9eff890657501ea9c627dd107c17a5b077bd46369bf73cf74056b372baa2790dcad2461fc899f55e0e4445eceebd9d32cc06c7c393d97841ff77e369a0f

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

pd1n.ddns.net:1968

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
pd1n-noip
lock_executable
false
offline_keylogger
false
password
Kimbolsapoq!P12
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2880-144-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/2880-147-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/2880-149-0x0000000000400000-0x0000000000420000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

sderwqfvgb.exe

pid process

3392 sderwqfvgb.exe

pid	process
3392	sderwqfvgb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fgtyhjkl = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\fgtyhjkl.txt \| cmd"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

sderwqfvgb.exe

description pid process target process

PID 3392 set thread context of 2880 3392 sderwqfvgb.exe regasm.exe

description	pid	process	target process
PID 3392 set thread context of 2880	3392	sderwqfvgb.exe	regasm.exe

Drops file in Windows directory 2 IoCs

Processes:

regasm.exe

description	ioc	process
File created	C:\Windows\Microsoft.net\Framework\v2.0.50727\.IgHiJkLiO	regasm.exe
File opened for modification	C:\Windows\Microsoft.net\Framework\v2.0.50727\.IgHiJkLiO	regasm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bea60e5ba81781d9ce1b148dcd77412da965d93730bf8f2608c7b077f07e68ca.exesderwqfvgb.exe

description	pid	process
Token: SeDebugPrivilege	4088	bea60e5ba81781d9ce1b148dcd77412da965d93730bf8f2608c7b077f07e68ca.exe
Token: SeDebugPrivilege	3392	sderwqfvgb.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

bea60e5ba81781d9ce1b148dcd77412da965d93730bf8f2608c7b077f07e68ca.execmd.exesderwqfvgb.execmd.exe

description	pid	process	target process
PID 4088 wrote to memory of 4836	4088	bea60e5ba81781d9ce1b148dcd77412da965d93730bf8f2608c7b077f07e68ca.exe	cmd.exe
PID 4088 wrote to memory of 4836	4088	bea60e5ba81781d9ce1b148dcd77412da965d93730bf8f2608c7b077f07e68ca.exe	cmd.exe
PID 4088 wrote to memory of 4836	4088	bea60e5ba81781d9ce1b148dcd77412da965d93730bf8f2608c7b077f07e68ca.exe	cmd.exe
PID 4836 wrote to memory of 3392	4836	cmd.exe	sderwqfvgb.exe
PID 4836 wrote to memory of 3392	4836	cmd.exe	sderwqfvgb.exe
PID 4836 wrote to memory of 3392	4836	cmd.exe	sderwqfvgb.exe
PID 3392 wrote to memory of 744	3392	sderwqfvgb.exe	cmd.exe
PID 3392 wrote to memory of 744	3392	sderwqfvgb.exe	cmd.exe
PID 3392 wrote to memory of 744	3392	sderwqfvgb.exe	cmd.exe
PID 744 wrote to memory of 1324	744	cmd.exe	reg.exe
PID 744 wrote to memory of 1324	744	cmd.exe	reg.exe
PID 744 wrote to memory of 1324	744	cmd.exe	reg.exe
PID 3392 wrote to memory of 1984	3392	sderwqfvgb.exe	regasm.exe
PID 3392 wrote to memory of 1984	3392	sderwqfvgb.exe	regasm.exe
PID 3392 wrote to memory of 1984	3392	sderwqfvgb.exe	regasm.exe
PID 3392 wrote to memory of 2880	3392	sderwqfvgb.exe	regasm.exe
PID 3392 wrote to memory of 2880	3392	sderwqfvgb.exe	regasm.exe
PID 3392 wrote to memory of 2880	3392	sderwqfvgb.exe	regasm.exe
PID 3392 wrote to memory of 2880	3392	sderwqfvgb.exe	regasm.exe
PID 3392 wrote to memory of 2880	3392	sderwqfvgb.exe	regasm.exe
PID 3392 wrote to memory of 2880	3392	sderwqfvgb.exe	regasm.exe
PID 3392 wrote to memory of 2880	3392	sderwqfvgb.exe	regasm.exe
PID 3392 wrote to memory of 2880	3392	sderwqfvgb.exe	regasm.exe
PID 3392 wrote to memory of 2880	3392	sderwqfvgb.exe	regasm.exe

C:\Users\Admin\AppData\Local\Temp\bea60e5ba81781d9ce1b148dcd77412da965d93730bf8f2608c7b077f07e68ca.exe
"C:\Users\Admin\AppData\Local\Temp\bea60e5ba81781d9ce1b148dcd77412da965d93730bf8f2608c7b077f07e68ca.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\SysWOW64\cmd.exe
"cmd"
2⤵
- Suspicious use of WriteProcessMemory
PID:4836

C:\Users\Admin\AppData\Roaming\yutghbncxsdz\sderwqfvgb.exe
"C:\Users\Admin\AppData\Roaming\yutghbncxsdz\sderwqfvgb.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\SysWOW64\cmd.exe
"cmd"
4⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "fgtyhjkl" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\fgtyhjkl.txt" | cmd"
5⤵
- Adds Run key to start application
PID:1324

C:\Windows\Microsoft.net\Framework\v2.0.50727\regasm.exe
"C:\Users\Admin\AppData\Roaming\yutghbncxsdz\sderwqfvgb.exe"
4⤵
PID:1984

C:\Windows\Microsoft.net\Framework\v2.0.50727\regasm.exe
"C:\Users\Admin\AppData\Roaming\yutghbncxsdz\sderwqfvgb.exe"
4⤵
- Drops file in Windows directory
PID:2880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0972B7C417F696E06E186AEB26286F01_6DEFC1B0F00B73D870DAEE9AD78095DA

Filesize
1KB

MD5
729b7bc608a61a8e50cda5b0390d9f9d

SHA1
57d7af72b872f219f74536288948d37429b3f993

SHA256
f6fd1fc70e01cf1672748312e7e8113954f23591182a6d47c5d2d12fd3a33cab

SHA512
288ee1e1f1a6a913ae8a4dd7c68ffaf1cc162fa42a4f00584d182628717118b106af9409da2fa98079694c8814a2d02b494bcd98a5681baede37a5b69b4f86fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F

Filesize
1KB

MD5
76c66a47f75937bd0015f3dd0b59dc96

SHA1
48191e865350e497851cc0e77d137add1fd9bc25

SHA256
c4216e55a2baed168e318a5f8d5740b5f4c5dbedd226536243d4527090e59044

SHA512
7318040978957aa3f79bb74ef7f66368bb8a3b42b0b7eebddb847c3ab3684386b93615dc40498d3bbd858c0aa16098d73b2246dd1a3580143cd98519e1792911

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0972B7C417F696E06E186AEB26286F01_6DEFC1B0F00B73D870DAEE9AD78095DA

Filesize
398B

MD5
a2781f255950b6b868af9c6d7ec211be

SHA1
3d6cc5e9bfc4a1af67744b966ed354c14378e9be

SHA256
39bc5df9ca214b0a9f36a2859e20584a03bf6e3b5e7bd0d320c2f416a93b9064

SHA512
72ec37f174625642296e3bec38cfb504f98f2c28a6c9da384f1ea04a9cfc9582405cd09b4af4d7f7e5a1d952fd001f1414e79258fbb174355c3b05041d304961

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F

Filesize
392B

MD5
1f0fa216a0710dddd197e5e8051c496e

SHA1
0f85177d9520db726dd1ab592f9d1be580f14784

SHA256
cccfca5f6f561bed68c9aec6a60da89e51ab7b4eef765d3e5d19e7fec98d6c5d

SHA512
2ce728fd5f021203693c613fb87816b5ba4a6e40c5d9165215d9e4fd1da880fcab3422f1d50f72165d71cbbb59aaf7b519bd29b3d6f14b3207833558e66ee024

Download Submit
C:\Users\Admin\AppData\Roaming\yutghbncxsdz\sderwqfvgb.exe

Filesize
1.2MB

MD5
1c1dc513c93df358bbfe566a37b32359

SHA1
7281a9babd20a1a5a48ace5fdefa558603c55152

SHA256
bea60e5ba81781d9ce1b148dcd77412da965d93730bf8f2608c7b077f07e68ca

SHA512
fa2fc9eff890657501ea9c627dd107c17a5b077bd46369bf73cf74056b372baa2790dcad2461fc899f55e0e4445eceebd9d32cc06c7c393d97841ff77e369a0f

Download Submit
C:\Users\Admin\AppData\Roaming\yutghbncxsdz\sderwqfvgb.exe

Filesize
1.2MB

MD5
1c1dc513c93df358bbfe566a37b32359

SHA1
7281a9babd20a1a5a48ace5fdefa558603c55152

SHA256
bea60e5ba81781d9ce1b148dcd77412da965d93730bf8f2608c7b077f07e68ca

SHA512
fa2fc9eff890657501ea9c627dd107c17a5b077bd46369bf73cf74056b372baa2790dcad2461fc899f55e0e4445eceebd9d32cc06c7c393d97841ff77e369a0f

Download Submit
memory/744-140-0x0000000000000000-mapping.dmp

Download
memory/1324-141-0x0000000000000000-mapping.dmp

Download
memory/1984-142-0x0000000000000000-mapping.dmp

Download
memory/2880-143-0x0000000000000000-mapping.dmp

Download
memory/2880-144-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-147-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-149-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3392-132-0x0000000000000000-mapping.dmp

Download
memory/3392-146-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4088-130-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4088-135-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4836-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads