netwire | 5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a

General

Target

5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe
Size

1.2MB
MD5

c7a0eff85efeba1d7252a46354df797a
SHA1

872b3376aa40a05da2289f5d8078aec1364bdff3
SHA256

5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a
SHA512

2e4bafa9ec7c05ab1b143802e8f413439036341e886d4c836c84936f3bc7772ed9a8833c747450a12fa4f673be029c370d1bfcdb479b7e0dfef74c1778577ca2

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

manuel3.publicvm.com:3366

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Mine Netwire
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
TbSYfUnj
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2300-135-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/2300-137-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/2300-138-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/2300-139-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/2300-143-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/2300-144-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe

description	pid	process	target process
PID 976 set thread context of 2300	976	5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4836 schtasks.exe

pid	process
4836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe

pid	process
976	5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe
976	5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe
976	5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe

description pid process

Token: SeDebugPrivilege 976 5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe

description	pid	process
Token: SeDebugPrivilege	976	5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe

description	pid	process	target process
PID 976 wrote to memory of 4836	976	5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe	schtasks.exe
PID 976 wrote to memory of 4836	976	5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe	schtasks.exe
PID 976 wrote to memory of 4836	976	5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe	schtasks.exe
PID 976 wrote to memory of 2300	976	5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe	svchost.exe
PID 976 wrote to memory of 2300	976	5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe	svchost.exe
PID 976 wrote to memory of 2300	976	5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe	svchost.exe
PID 976 wrote to memory of 2300	976	5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe	svchost.exe
PID 976 wrote to memory of 2300	976	5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe	svchost.exe
PID 976 wrote to memory of 2300	976	5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe	svchost.exe
PID 976 wrote to memory of 2300	976	5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe	svchost.exe
PID 976 wrote to memory of 2300	976	5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe	svchost.exe
PID 976 wrote to memory of 2300	976	5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe	svchost.exe
PID 976 wrote to memory of 2300	976	5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe	svchost.exe
PID 976 wrote to memory of 2300	976	5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe
"C:\Users\Admin\AppData\Local\Temp\5b5c82b3faef7808ecfe08bd812f954b0d45fb01688a8845eead0441be4db99a.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "XRKQQIT\XRKQQIT" /XML "C:\Users\Admin\AppData\Roaming\XRKQQIT\aiiiii.xml"
2⤵
- Creates scheduled task(s)
PID:4836

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
2⤵
PID:2300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\XRKQQIT\aiiiii.xml
Filesize
1KB

MD5
963b83d73d268b974534f60062d75e2d

SHA1
c1cd46ebb3a50b288194ef7f3b8d5d798ca19030

SHA256
8e4ef251f5a658bde4e57ba2a0659624d55d3b54abc592f57849970e8a388b7c

SHA512
7238420c65a2db2a998d28c730e7e3c8831fac357654ca6584963ce442da6a838f9b5f49bf0e1ec9d1e3224ea2a2466a1f989066fedb1dd31e25a2954b481485

Download Submit
memory/976-130-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/976-142-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/2300-133-0x0000000000000000-mapping.dmp

Download
memory/2300-134-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2300-135-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2300-137-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2300-138-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2300-139-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2300-143-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2300-144-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4836-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads