netwire | 5691c9faace16caa42cfc4b8cd06c1b7ac56809333534f737c9dc239f0d882fb

General

Target

5691c9faace16caa42cfc4b8cd06c1b7ac56809333534f737c9dc239f0d882fb.exe
Size

292KB
MD5

f3ee8ac24e5c6ddb964db9bd38aa6224
SHA1

e3000becb6ddaf78fdaa9ad16617eed6fa91c5f0
SHA256

5691c9faace16caa42cfc4b8cd06c1b7ac56809333534f737c9dc239f0d882fb
SHA512

aacd26f56db9eb8ff3f8166abc0dcd50fa0f768e8a6980340b31245d863940efd0f0d1e94e56e23b650582d630432666e5a52b8d45390f908ad413a711b8b9d5

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

extensions14718.sytes.net:3324

extensions14718sec.sytes.net:3324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
C:\Users\Admin\AppData\Roaming\Logs\
lock_executable
false
mutex
AJTAsMDe
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/816-68-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/816-70-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Biomassekraftvarmevrker8.exe

pid process

816 Biomassekraftvarmevrker8.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2044 schtasks.exe

pid	process
816	Biomassekraftvarmevrker8.exe

pid	process
2044	schtasks.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

5691c9faace16caa42cfc4b8cd06c1b7ac56809333534f737c9dc239f0d882fb.exeBiomassekraftvarmevrker8.exe

pid	process
2008	5691c9faace16caa42cfc4b8cd06c1b7ac56809333534f737c9dc239f0d882fb.exe
2008	5691c9faace16caa42cfc4b8cd06c1b7ac56809333534f737c9dc239f0d882fb.exe
816	Biomassekraftvarmevrker8.exe
816	Biomassekraftvarmevrker8.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

5691c9faace16caa42cfc4b8cd06c1b7ac56809333534f737c9dc239f0d882fb.exeBiomassekraftvarmevrker8.exe

pid	process
2008	5691c9faace16caa42cfc4b8cd06c1b7ac56809333534f737c9dc239f0d882fb.exe
2008	5691c9faace16caa42cfc4b8cd06c1b7ac56809333534f737c9dc239f0d882fb.exe
816	Biomassekraftvarmevrker8.exe
816	Biomassekraftvarmevrker8.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

5691c9faace16caa42cfc4b8cd06c1b7ac56809333534f737c9dc239f0d882fb.exeBiomassekraftvarmevrker8.exe

pid process

2008 5691c9faace16caa42cfc4b8cd06c1b7ac56809333534f737c9dc239f0d882fb.exe
816 Biomassekraftvarmevrker8.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Biomassekraftvarmevrker8.exe

pid process

816 Biomassekraftvarmevrker8.exe

pid	process
816	Biomassekraftvarmevrker8.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5691c9faace16caa42cfc4b8cd06c1b7ac56809333534f737c9dc239f0d882fb.exetaskeng.exe

description	pid	process	target process
PID 2008 wrote to memory of 2044	2008	5691c9faace16caa42cfc4b8cd06c1b7ac56809333534f737c9dc239f0d882fb.exe	schtasks.exe
PID 2008 wrote to memory of 2044	2008	5691c9faace16caa42cfc4b8cd06c1b7ac56809333534f737c9dc239f0d882fb.exe	schtasks.exe
PID 2008 wrote to memory of 2044	2008	5691c9faace16caa42cfc4b8cd06c1b7ac56809333534f737c9dc239f0d882fb.exe	schtasks.exe
PID 2008 wrote to memory of 2044	2008	5691c9faace16caa42cfc4b8cd06c1b7ac56809333534f737c9dc239f0d882fb.exe	schtasks.exe
PID 2008 wrote to memory of 1988	2008	5691c9faace16caa42cfc4b8cd06c1b7ac56809333534f737c9dc239f0d882fb.exe	schtasks.exe
PID 2008 wrote to memory of 1988	2008	5691c9faace16caa42cfc4b8cd06c1b7ac56809333534f737c9dc239f0d882fb.exe	schtasks.exe
PID 2008 wrote to memory of 1988	2008	5691c9faace16caa42cfc4b8cd06c1b7ac56809333534f737c9dc239f0d882fb.exe	schtasks.exe
PID 2008 wrote to memory of 1988	2008	5691c9faace16caa42cfc4b8cd06c1b7ac56809333534f737c9dc239f0d882fb.exe	schtasks.exe
PID 1928 wrote to memory of 816	1928	taskeng.exe	Biomassekraftvarmevrker8.exe
PID 1928 wrote to memory of 816	1928	taskeng.exe	Biomassekraftvarmevrker8.exe
PID 1928 wrote to memory of 816	1928	taskeng.exe	Biomassekraftvarmevrker8.exe
PID 1928 wrote to memory of 816	1928	taskeng.exe	Biomassekraftvarmevrker8.exe

C:\Users\Admin\AppData\Local\Temp\5691c9faace16caa42cfc4b8cd06c1b7ac56809333534f737c9dc239f0d882fb.exe
"C:\Users\Admin\AppData\Local\Temp\5691c9faace16caa42cfc4b8cd06c1b7ac56809333534f737c9dc239f0d882fb.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "Rosinbrdet5" /TR "C:\Users\Admin\AppData\Roaming\Biomassekraftvarmevrker8.exe"
2⤵
- Creates scheduled task(s)
PID:2044

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /run /tn "Rosinbrdet5"
2⤵
PID:1988

C:\Windows\system32\taskeng.exe
taskeng.exe {E9EB12A0-A9A8-4028-A696-8F500D36972D} S-1-5-21-3762437355-3468409815-1164039494-1000:TZEOUYSL\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Roaming\Biomassekraftvarmevrker8.exe
C:\Users\Admin\AppData\Roaming\Biomassekraftvarmevrker8.exe
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Biomassekraftvarmevrker8.exe

Filesize
292KB

MD5
fe1a5ab0fa68403dd4bf9e35295047ce

SHA1
50d7ec211fdf8393e085dd132b4473253555f734

SHA256
c5096e7519b6f9fbe2bb673064e7d40266c37e737fb209f695a3b5ddd500fc76

SHA512
f63e0e7676bbda132d68a033f229f0ec763152012e2065aafb922658f6d36d427661dea0ac9ab444b49ad64b29c1529335e376d87aa7bfc2028f5450a46e5f59

Download Submit
C:\Users\Admin\AppData\Roaming\Biomassekraftvarmevrker8.exe

Filesize
292KB

MD5
fe1a5ab0fa68403dd4bf9e35295047ce

SHA1
50d7ec211fdf8393e085dd132b4473253555f734

SHA256
c5096e7519b6f9fbe2bb673064e7d40266c37e737fb209f695a3b5ddd500fc76

SHA512
f63e0e7676bbda132d68a033f229f0ec763152012e2065aafb922658f6d36d427661dea0ac9ab444b49ad64b29c1529335e376d87aa7bfc2028f5450a46e5f59

Download Submit
memory/816-62-0x0000000000000000-mapping.dmp

Download
memory/816-68-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/816-69-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/816-70-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1988-59-0x0000000000000000-mapping.dmp

Download
memory/2008-56-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/2008-57-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/2008-60-0x0000000077880000-0x0000000077A00000-memory.dmp

Filesize
1.5MB

Download
memory/2044-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads