netwire | e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b

General

Target

e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exe
Size

612KB
MD5

55a78affac8a3608c214ce7c01069330
SHA1

fe6ffd66247cd7db7a8b309e3d691b89ccd4b35a
SHA256

e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b
SHA512

c0047313e5a1a866686685113569cef12d7c05a029fc5fb09ca24d74378e1b310993217debb1d7357282d032cf11bda7f95b08b2d04c778808ae91db6c62d09b

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

79.134.225.120:8765

Attributes

activex_autorun
true
activex_key
{L501JP3X-C6PC-RH36-475X-RS2C2OQHHGS0}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
true
startup_name
windows
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4908-138-0x0000000000400000-0x000000000049A000-memory.dmp	netwire
behavioral2/memory/4908-139-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1808 Host.exe
3904 Host.exe

pid	process
1808	Host.exe
3904	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{L501JP3X-C6PC-RH36-475X-RS2C2OQHHGS0}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{L501JP3X-C6PC-RH36-475X-RS2C2OQHHGS0}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exee5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exeHost.exeHost.exe

pid	process
4740	e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exe
4908	e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exe
4908	e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exe
1808	Host.exe
3904	Host.exe
3904	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exeHost.exe

description	pid	process	target process
PID 4740 set thread context of 4908	4740	e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exe	e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exe
PID 1808 set thread context of 3904	1808	Host.exe	Host.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exeHost.exe

pid process

4740 e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exe
1808 Host.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exee5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exeHost.exe

description	pid	process	target process
PID 4740 wrote to memory of 4908	4740	e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exe	e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exe
PID 4740 wrote to memory of 4908	4740	e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exe	e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exe
PID 4740 wrote to memory of 4908	4740	e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exe	e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exe
PID 4908 wrote to memory of 1808	4908	e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exe	Host.exe
PID 4908 wrote to memory of 1808	4908	e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exe	Host.exe
PID 4908 wrote to memory of 1808	4908	e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exe	Host.exe
PID 1808 wrote to memory of 3904	1808	Host.exe	Host.exe
PID 1808 wrote to memory of 3904	1808	Host.exe	Host.exe
PID 1808 wrote to memory of 3904	1808	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exe
"C:\Users\Admin\AppData\Local\Temp\e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4740

C:\Users\Admin\AppData\Local\Temp\e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exe
"C:\Users\Admin\AppData\Local\Temp\e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4908

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
612KB

MD5
55a78affac8a3608c214ce7c01069330

SHA1
fe6ffd66247cd7db7a8b309e3d691b89ccd4b35a

SHA256
e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b

SHA512
c0047313e5a1a866686685113569cef12d7c05a029fc5fb09ca24d74378e1b310993217debb1d7357282d032cf11bda7f95b08b2d04c778808ae91db6c62d09b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
612KB

MD5
55a78affac8a3608c214ce7c01069330

SHA1
fe6ffd66247cd7db7a8b309e3d691b89ccd4b35a

SHA256
e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b

SHA512
c0047313e5a1a866686685113569cef12d7c05a029fc5fb09ca24d74378e1b310993217debb1d7357282d032cf11bda7f95b08b2d04c778808ae91db6c62d09b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
612KB

MD5
55a78affac8a3608c214ce7c01069330

SHA1
fe6ffd66247cd7db7a8b309e3d691b89ccd4b35a

SHA256
e5728e656e7e9ecab8239e0516dfc115894e8c2a616148be12eaf3b2ce9fe09b

SHA512
c0047313e5a1a866686685113569cef12d7c05a029fc5fb09ca24d74378e1b310993217debb1d7357282d032cf11bda7f95b08b2d04c778808ae91db6c62d09b

Download Submit
memory/1808-154-0x0000000077760000-0x0000000077903000-memory.dmp

Filesize
1.6MB

Download
memory/1808-145-0x0000000000000000-mapping.dmp

Download
memory/1808-158-0x0000000077760000-0x0000000077903000-memory.dmp

Filesize
1.6MB

Download
memory/1808-157-0x00000000020E0000-0x00000000020EF000-memory.dmp

Filesize
60KB

Download
memory/1808-153-0x00007FF90AD50000-0x00007FF90AF45000-memory.dmp

Filesize
2.0MB

Download
memory/3904-155-0x0000000000000000-mapping.dmp

Download
memory/3904-168-0x00000000005B0000-0x00000000005BF000-memory.dmp

Filesize
60KB

Download
memory/3904-167-0x0000000077760000-0x0000000077903000-memory.dmp

Filesize
1.6MB

Download
memory/3904-166-0x00007FF90AD50000-0x00007FF90AF45000-memory.dmp

Filesize
2.0MB

Download
memory/4740-133-0x00007FF90AD50000-0x00007FF90AF45000-memory.dmp

Filesize
2.0MB

Download
memory/4740-134-0x0000000077760000-0x0000000077903000-memory.dmp

Filesize
1.6MB

Download
memory/4740-137-0x0000000077760000-0x0000000077903000-memory.dmp

Filesize
1.6MB

Download
memory/4740-132-0x00000000006A0000-0x00000000006AF000-memory.dmp

Filesize
60KB

Download
memory/4740-136-0x00000000006A0000-0x00000000006AF000-memory.dmp

Filesize
60KB

Download
memory/4908-149-0x00007FF90AD50000-0x00007FF90AF45000-memory.dmp

Filesize
2.0MB

Download
memory/4908-138-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4908-139-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4908-151-0x0000000077760000-0x0000000077903000-memory.dmp

Filesize
1.6MB

Download
memory/4908-135-0x0000000000000000-mapping.dmp

Download
memory/4908-148-0x00000000004E0000-0x00000000004EF000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads