netwire | ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f

General

Target

ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe
Size

604KB
MD5

06c5d04214063a365e85aba8a7d1a5ca
SHA1

cbdf52430e8c7479e12071ee1349008353eee433
SHA256

ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f
SHA512

68b49fd290a4ce1215a44045528c13fca56bf82dc99d674b25ab7218b07ece7f921c31bd9b4040aab194c24d24ae3db072b2de6e3d03e6cc6f5ea146fe948097

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

79.134.225.120:8765

Attributes

activex_autorun
true
activex_key
{7XOS4W0K-H4LE-56X7-UJ07-L110BJ4GFYE8}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
true
startup_name
win01
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2028-66-0x0000000000400000-0x0000000000498000-memory.dmp	netwire
behavioral1/memory/2028-67-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/896-92-0x0000000000400000-0x0000000000498000-memory.dmp	netwire
behavioral1/memory/896-93-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1844 Host.exe
896 Host.exe

pid	process
1844	Host.exe
896	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7XOS4W0K-H4LE-56X7-UJ07-L110BJ4GFYE8}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7XOS4W0K-H4LE-56X7-UJ07-L110BJ4GFYE8}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Loads dropped DLL 2 IoCs

Processes:

ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe

pid	process
2028	ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe
2028	ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\win01 = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exeae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exeHost.exeHost.exe

pid	process
1660	ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe
2028	ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe
2028	ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe
1844	Host.exe
896	Host.exe
896	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exeHost.exe

description	pid	process	target process
PID 1660 set thread context of 2028	1660	ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe	ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe
PID 1844 set thread context of 896	1844	Host.exe	Host.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exeHost.exe

pid process

1660 ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe
1844 Host.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exeae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exeHost.exe

description	pid	process	target process
PID 1660 wrote to memory of 2028	1660	ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe	ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe
PID 1660 wrote to memory of 2028	1660	ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe	ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe
PID 1660 wrote to memory of 2028	1660	ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe	ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe
PID 1660 wrote to memory of 2028	1660	ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe	ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe
PID 2028 wrote to memory of 1844	2028	ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe	Host.exe
PID 2028 wrote to memory of 1844	2028	ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe	Host.exe
PID 2028 wrote to memory of 1844	2028	ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe	Host.exe
PID 2028 wrote to memory of 1844	2028	ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe	Host.exe
PID 1844 wrote to memory of 896	1844	Host.exe	Host.exe
PID 1844 wrote to memory of 896	1844	Host.exe	Host.exe
PID 1844 wrote to memory of 896	1844	Host.exe	Host.exe
PID 1844 wrote to memory of 896	1844	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe
"C:\Users\Admin\AppData\Local\Temp\ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Local\Temp\ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe
"C:\Users\Admin\AppData\Local\Temp\ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f.exe"
2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
604KB

MD5
06c5d04214063a365e85aba8a7d1a5ca

SHA1
cbdf52430e8c7479e12071ee1349008353eee433

SHA256
ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f

SHA512
68b49fd290a4ce1215a44045528c13fca56bf82dc99d674b25ab7218b07ece7f921c31bd9b4040aab194c24d24ae3db072b2de6e3d03e6cc6f5ea146fe948097

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
604KB

MD5
06c5d04214063a365e85aba8a7d1a5ca

SHA1
cbdf52430e8c7479e12071ee1349008353eee433

SHA256
ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f

SHA512
68b49fd290a4ce1215a44045528c13fca56bf82dc99d674b25ab7218b07ece7f921c31bd9b4040aab194c24d24ae3db072b2de6e3d03e6cc6f5ea146fe948097

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
604KB

MD5
06c5d04214063a365e85aba8a7d1a5ca

SHA1
cbdf52430e8c7479e12071ee1349008353eee433

SHA256
ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f

SHA512
68b49fd290a4ce1215a44045528c13fca56bf82dc99d674b25ab7218b07ece7f921c31bd9b4040aab194c24d24ae3db072b2de6e3d03e6cc6f5ea146fe948097

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
604KB

MD5
06c5d04214063a365e85aba8a7d1a5ca

SHA1
cbdf52430e8c7479e12071ee1349008353eee433

SHA256
ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f

SHA512
68b49fd290a4ce1215a44045528c13fca56bf82dc99d674b25ab7218b07ece7f921c31bd9b4040aab194c24d24ae3db072b2de6e3d03e6cc6f5ea146fe948097

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
604KB

MD5
06c5d04214063a365e85aba8a7d1a5ca

SHA1
cbdf52430e8c7479e12071ee1349008353eee433

SHA256
ae1f2914d61d01d927899c62c72a62590ce08baa18a78a1e56bd9dfdda634f3f

SHA512
68b49fd290a4ce1215a44045528c13fca56bf82dc99d674b25ab7218b07ece7f921c31bd9b4040aab194c24d24ae3db072b2de6e3d03e6cc6f5ea146fe948097

Download Submit
memory/896-101-0x0000000077720000-0x00000000778A0000-memory.dmp

Filesize
1.5MB

Download
memory/896-100-0x0000000077720000-0x00000000778A0000-memory.dmp

Filesize
1.5MB

Download
memory/896-99-0x0000000077540000-0x00000000776E9000-memory.dmp

Filesize
1.7MB

Download
memory/896-93-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/896-92-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/896-85-0x0000000000482577-mapping.dmp

Download
memory/1660-63-0x0000000077720000-0x00000000778A0000-memory.dmp

Filesize
1.5MB

Download
memory/1660-56-0x0000000000250000-0x000000000025E000-memory.dmp

Filesize
56KB

Download
memory/1660-57-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download
memory/1660-59-0x0000000077540000-0x00000000776E9000-memory.dmp

Filesize
1.7MB

Download
memory/1660-60-0x0000000077720000-0x00000000778A0000-memory.dmp

Filesize
1.5MB

Download
memory/1660-62-0x0000000000250000-0x000000000025E000-memory.dmp

Filesize
56KB

Download
memory/1844-89-0x0000000077720000-0x00000000778A0000-memory.dmp

Filesize
1.5MB

Download
memory/1844-88-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/1844-87-0x0000000077540000-0x00000000776E9000-memory.dmp

Filesize
1.7MB

Download
memory/1844-75-0x0000000000000000-mapping.dmp

Download
memory/2028-66-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2028-67-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2028-61-0x0000000000482577-mapping.dmp

Download
memory/2028-80-0x0000000077720000-0x00000000778A0000-memory.dmp

Filesize
1.5MB

Download
memory/2028-76-0x0000000000220000-0x000000000022E000-memory.dmp

Filesize
56KB

Download
memory/2028-78-0x0000000077540000-0x00000000776E9000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads