netwire | 5cc870a54b9cf9f98ddfb7a7a574c41afe30205368c9665eeefea1652316a20c

General

Target

5cc870a54b9cf9f98ddfb7a7a574c41afe30205368c9665eeefea1652316a20c.exe
Size

1.8MB
MD5

52a4eba0459f9fed7d54a50790b85482
SHA1

091b583ad84dcac1b7d50ecb561186d091526428
SHA256

5cc870a54b9cf9f98ddfb7a7a574c41afe30205368c9665eeefea1652316a20c
SHA512

49c2d81910084b5c2144db45fe298357f4a93ff4c7158f853421d768aa0febc29fe848d4b884947eb162741bf9da0b1f14a94a04633b60644d44eb43c46a63d8

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

159.65.128.193:4445

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
nest1
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
ceVlGBjM
offline_keylogger
true
password
mysteh4445
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/944-71-0x0000000000402BCB-mapping.dmp	netwire
behavioral1/memory/944-70-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/944-75-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/944-76-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/944-77-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

flies.exeflies.exe

pid process

956 flies.exe
944 flies.exe
Loads dropped DLL 3 IoCs

Processes:

WScript.exeflies.exe

pid process

1128 WScript.exe
1128 WScript.exe
956 flies.exe

pid	process
956	flies.exe
944	flies.exe

pid	process
1128	WScript.exe
1128	WScript.exe
956	flies.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Resettle = "C:\\Users\\Admin\\AppData\\Local\\Temp\\startup\\flies.vbs"	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

flies.exe

description pid process target process

PID 956 set thread context of 944 956 flies.exe flies.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

5cc870a54b9cf9f98ddfb7a7a574c41afe30205368c9665eeefea1652316a20c.exeflies.exe

pid process

2024 5cc870a54b9cf9f98ddfb7a7a574c41afe30205368c9665eeefea1652316a20c.exe
956 flies.exe

description	pid	process	target process
PID 956 set thread context of 944	956	flies.exe	flies.exe

pid	process
2024	5cc870a54b9cf9f98ddfb7a7a574c41afe30205368c9665eeefea1652316a20c.exe
956	flies.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

5cc870a54b9cf9f98ddfb7a7a574c41afe30205368c9665eeefea1652316a20c.exeWScript.exeflies.exe

description	pid	process	target process
PID 2024 wrote to memory of 1128	2024	5cc870a54b9cf9f98ddfb7a7a574c41afe30205368c9665eeefea1652316a20c.exe	WScript.exe
PID 2024 wrote to memory of 1128	2024	5cc870a54b9cf9f98ddfb7a7a574c41afe30205368c9665eeefea1652316a20c.exe	WScript.exe
PID 2024 wrote to memory of 1128	2024	5cc870a54b9cf9f98ddfb7a7a574c41afe30205368c9665eeefea1652316a20c.exe	WScript.exe
PID 2024 wrote to memory of 1128	2024	5cc870a54b9cf9f98ddfb7a7a574c41afe30205368c9665eeefea1652316a20c.exe	WScript.exe
PID 1128 wrote to memory of 956	1128	WScript.exe	flies.exe
PID 1128 wrote to memory of 956	1128	WScript.exe	flies.exe
PID 1128 wrote to memory of 956	1128	WScript.exe	flies.exe
PID 1128 wrote to memory of 956	1128	WScript.exe	flies.exe
PID 956 wrote to memory of 944	956	flies.exe	flies.exe
PID 956 wrote to memory of 944	956	flies.exe	flies.exe
PID 956 wrote to memory of 944	956	flies.exe	flies.exe
PID 956 wrote to memory of 944	956	flies.exe	flies.exe
PID 956 wrote to memory of 944	956	flies.exe	flies.exe
PID 956 wrote to memory of 944	956	flies.exe	flies.exe
PID 956 wrote to memory of 944	956	flies.exe	flies.exe
PID 956 wrote to memory of 944	956	flies.exe	flies.exe
PID 956 wrote to memory of 944	956	flies.exe	flies.exe
PID 956 wrote to memory of 944	956	flies.exe	flies.exe
PID 956 wrote to memory of 944	956	flies.exe	flies.exe
PID 956 wrote to memory of 944	956	flies.exe	flies.exe
PID 956 wrote to memory of 944	956	flies.exe	flies.exe

C:\Users\Admin\AppData\Local\Temp\5cc870a54b9cf9f98ddfb7a7a574c41afe30205368c9665eeefea1652316a20c.exe
"C:\Users\Admin\AppData\Local\Temp\5cc870a54b9cf9f98ddfb7a7a574c41afe30205368c9665eeefea1652316a20c.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\startup\flies.vbs"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1128

C:\Users\Admin\AppData\Local\Temp\startup\flies.exe
"C:\Users\Admin\AppData\Local\Temp\startup\flies.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Temp\startup\flies.exe
"C:\Users\Admin\AppData\Local\Temp\startup\flies.exe"
4⤵
- Executes dropped EXE
PID:944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\startup\flies.exe

Filesize
1.8MB

MD5
ebbe1485d69bf5a00ea21d1f4e41f45f

SHA1
84d67c5a3feefb2e66558af598b4da6bef3e18ab

SHA256
106ea56f8138f1dfbebb5b5e7e5e327e0b461383a8ac64de897e58ddb1878316

SHA512
8e19c7c2dcdd63a3d77f2724a4b01974a3b1212bb1e6329774463a15c60d9aa17644decace913394cf8b2c331c017bf1936bd086aa876d25526b3821ef29c636

Download Submit
C:\Users\Admin\AppData\Local\Temp\startup\flies.exe

Filesize
1.8MB

MD5
ebbe1485d69bf5a00ea21d1f4e41f45f

SHA1
84d67c5a3feefb2e66558af598b4da6bef3e18ab

SHA256
106ea56f8138f1dfbebb5b5e7e5e327e0b461383a8ac64de897e58ddb1878316

SHA512
8e19c7c2dcdd63a3d77f2724a4b01974a3b1212bb1e6329774463a15c60d9aa17644decace913394cf8b2c331c017bf1936bd086aa876d25526b3821ef29c636

Download Submit
C:\Users\Admin\AppData\Local\Temp\startup\flies.exe

Filesize
1.8MB

MD5
ebbe1485d69bf5a00ea21d1f4e41f45f

SHA1
84d67c5a3feefb2e66558af598b4da6bef3e18ab

SHA256
106ea56f8138f1dfbebb5b5e7e5e327e0b461383a8ac64de897e58ddb1878316

SHA512
8e19c7c2dcdd63a3d77f2724a4b01974a3b1212bb1e6329774463a15c60d9aa17644decace913394cf8b2c331c017bf1936bd086aa876d25526b3821ef29c636

Download Submit
C:\Users\Admin\AppData\Local\Temp\startup\flies.vbs

Filesize
1024B

MD5
89793f6f9e43e7084a57b2974ea7ec9d

SHA1
d22532ff2b3694d9cb4c4a726418a126e1df2650

SHA256
2d1e611db454cb03e67383f7e4c16f0e8b0889ac526e7c4cd837828a49fc7141

SHA512
4e954e265e07083a0632c9c9870044966287944956b8d4a93df73411a17262ac93f3c268720e62f85b231e3b87c81471d3c016deec3ba186b4b3ff13433060d9

Download Submit
\Users\Admin\AppData\Local\Temp\startup\flies.exe

Filesize
1.8MB

MD5
ebbe1485d69bf5a00ea21d1f4e41f45f

SHA1
84d67c5a3feefb2e66558af598b4da6bef3e18ab

SHA256
106ea56f8138f1dfbebb5b5e7e5e327e0b461383a8ac64de897e58ddb1878316

SHA512
8e19c7c2dcdd63a3d77f2724a4b01974a3b1212bb1e6329774463a15c60d9aa17644decace913394cf8b2c331c017bf1936bd086aa876d25526b3821ef29c636

Download Submit
\Users\Admin\AppData\Local\Temp\startup\flies.exe

Filesize
1.8MB

MD5
ebbe1485d69bf5a00ea21d1f4e41f45f

SHA1
84d67c5a3feefb2e66558af598b4da6bef3e18ab

SHA256
106ea56f8138f1dfbebb5b5e7e5e327e0b461383a8ac64de897e58ddb1878316

SHA512
8e19c7c2dcdd63a3d77f2724a4b01974a3b1212bb1e6329774463a15c60d9aa17644decace913394cf8b2c331c017bf1936bd086aa876d25526b3821ef29c636

Download Submit
\Users\Admin\AppData\Local\Temp\startup\flies.exe

Filesize
1.8MB

MD5
ebbe1485d69bf5a00ea21d1f4e41f45f

SHA1
84d67c5a3feefb2e66558af598b4da6bef3e18ab

SHA256
106ea56f8138f1dfbebb5b5e7e5e327e0b461383a8ac64de897e58ddb1878316

SHA512
8e19c7c2dcdd63a3d77f2724a4b01974a3b1212bb1e6329774463a15c60d9aa17644decace913394cf8b2c331c017bf1936bd086aa876d25526b3821ef29c636

Download Submit
memory/944-70-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/944-71-0x0000000000402BCB-mapping.dmp

Download
memory/944-75-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/944-76-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/944-77-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/956-64-0x0000000000000000-mapping.dmp

Download
memory/1128-58-0x0000000000000000-mapping.dmp

Download
memory/2024-57-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/2024-56-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads