netwire | 5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3

General

Target

5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe
Size

500KB
MD5

91530bde7d5d48021cda6843314bb02d
SHA1

1053c2dd4bfac299e0dcc1cd0454c08870c38525
SHA256

5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3
SHA512

f344a561f3804edb478d6165123f72973c556064f2711f5e7d2f9ef902766dfae5cbb5981f8fca05f7bce58f41957c79ba2cd76e9082eab50d885a7cfaffc6b4

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1260-62-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1260-66-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1260-68-0x00000000004021DA-mapping.dmp	netwire
behavioral1/memory/1260-72-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1260-77-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1452-92-0x00000000004021DA-mapping.dmp	netwire
behavioral1/memory/1452-98-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

HKRUN.exeHKRUN.exe

pid process

1528 HKRUN.exe
1452 HKRUN.exe

pid	process
1528	HKRUN.exe
1452	HKRUN.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HKRUN.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GX4W778O-8WXD-U6V5-673Y-818I614AXLWR}	HKRUN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GX4W778O-8WXD-U6V5-673Y-818I614AXLWR}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\HKRUN.exe\""	HKRUN.exe

Loads dropped DLL 2 IoCs

Processes:

5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe

pid	process
1260	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe
1260	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HKRUN.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	HKRUN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegEdit1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\HKRUN.exe"	HKRUN.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exeHKRUN.exe

description	pid	process	target process
PID 1360 set thread context of 1260	1360	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe
PID 1528 set thread context of 1452	1528	HKRUN.exe	HKRUN.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exeHKRUN.exe

description	pid	process	target process
PID 1360 wrote to memory of 1260	1360	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe
PID 1360 wrote to memory of 1260	1360	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe
PID 1360 wrote to memory of 1260	1360	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe
PID 1360 wrote to memory of 1260	1360	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe
PID 1360 wrote to memory of 1260	1360	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe
PID 1360 wrote to memory of 1260	1360	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe
PID 1360 wrote to memory of 1260	1360	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe
PID 1360 wrote to memory of 1260	1360	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe
PID 1360 wrote to memory of 1260	1360	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe
PID 1260 wrote to memory of 1528	1260	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe	HKRUN.exe
PID 1260 wrote to memory of 1528	1260	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe	HKRUN.exe
PID 1260 wrote to memory of 1528	1260	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe	HKRUN.exe
PID 1260 wrote to memory of 1528	1260	5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe	HKRUN.exe
PID 1528 wrote to memory of 1452	1528	HKRUN.exe	HKRUN.exe
PID 1528 wrote to memory of 1452	1528	HKRUN.exe	HKRUN.exe
PID 1528 wrote to memory of 1452	1528	HKRUN.exe	HKRUN.exe
PID 1528 wrote to memory of 1452	1528	HKRUN.exe	HKRUN.exe
PID 1528 wrote to memory of 1452	1528	HKRUN.exe	HKRUN.exe
PID 1528 wrote to memory of 1452	1528	HKRUN.exe	HKRUN.exe
PID 1528 wrote to memory of 1452	1528	HKRUN.exe	HKRUN.exe
PID 1528 wrote to memory of 1452	1528	HKRUN.exe	HKRUN.exe
PID 1528 wrote to memory of 1452	1528	HKRUN.exe	HKRUN.exe

C:\Users\Admin\AppData\Local\Temp\5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe
"C:\Users\Admin\AppData\Local\Temp\5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Local\Temp\5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe
"C:\Users\Admin\AppData\Local\Temp\5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:1452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
Filesize
500KB

MD5
91530bde7d5d48021cda6843314bb02d

SHA1
1053c2dd4bfac299e0dcc1cd0454c08870c38525

SHA256
5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3

SHA512
f344a561f3804edb478d6165123f72973c556064f2711f5e7d2f9ef902766dfae5cbb5981f8fca05f7bce58f41957c79ba2cd76e9082eab50d885a7cfaffc6b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
Filesize
500KB

MD5
91530bde7d5d48021cda6843314bb02d

SHA1
1053c2dd4bfac299e0dcc1cd0454c08870c38525

SHA256
5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3

SHA512
f344a561f3804edb478d6165123f72973c556064f2711f5e7d2f9ef902766dfae5cbb5981f8fca05f7bce58f41957c79ba2cd76e9082eab50d885a7cfaffc6b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
Filesize
500KB

MD5
91530bde7d5d48021cda6843314bb02d

SHA1
1053c2dd4bfac299e0dcc1cd0454c08870c38525

SHA256
5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3

SHA512
f344a561f3804edb478d6165123f72973c556064f2711f5e7d2f9ef902766dfae5cbb5981f8fca05f7bce58f41957c79ba2cd76e9082eab50d885a7cfaffc6b4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
Filesize
500KB

MD5
91530bde7d5d48021cda6843314bb02d

SHA1
1053c2dd4bfac299e0dcc1cd0454c08870c38525

SHA256
5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3

SHA512
f344a561f3804edb478d6165123f72973c556064f2711f5e7d2f9ef902766dfae5cbb5981f8fca05f7bce58f41957c79ba2cd76e9082eab50d885a7cfaffc6b4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
Filesize
500KB

MD5
91530bde7d5d48021cda6843314bb02d

SHA1
1053c2dd4bfac299e0dcc1cd0454c08870c38525

SHA256
5dbb40b456735ce7ec05034fc3e010fc8fd8599e973954f1320a59c5587a7ce3

SHA512
f344a561f3804edb478d6165123f72973c556064f2711f5e7d2f9ef902766dfae5cbb5981f8fca05f7bce58f41957c79ba2cd76e9082eab50d885a7cfaffc6b4

Download Submit
memory/1260-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1260-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1260-68-0x00000000004021DA-mapping.dmp

Download
memory/1260-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1260-72-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1260-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1260-77-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1260-57-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1360-70-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/1360-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1360-55-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/1452-92-0x00000000004021DA-mapping.dmp

Download
memory/1452-98-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1528-75-0x0000000000000000-mapping.dmp

Download
memory/1528-95-0x00000000743F0000-0x000000007499B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads