netwire | 5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7

General

Target

5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe
Size

539KB
MD5

b7e3a34777762e23320ac86a0dc0e13d
SHA1

144e81a97b40bdd0c084d2bdb3de2f1b8cecc597
SHA256

5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7
SHA512

8b3d4f147115386d6b49c4858a17bf11558b3302ee86fc98033c8a886dd295bdfe8fdd2d064c5856309c3466e9656e19452cc5487a10d4fdf4ef1ce285c0f67a

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4644-136-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral2/memory/4632-137-0x0000000000400000-0x000000000042B000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

5052 Host.exe
5036 Host.exe

pid	process
5052	Host.exe
5036	Host.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exeRegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe

description	pid	process	target process
PID 4684 set thread context of 4644	4684	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 4684 set thread context of 4632	4684	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe

pid	process
4684	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe
4684	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe
4684	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe
4684	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exeRegAsm.exeRegAsm.exe

description	pid	process	target process
PID 4684 wrote to memory of 4632	4684	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 4684 wrote to memory of 4632	4684	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 4684 wrote to memory of 4632	4684	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 4684 wrote to memory of 4624	4684	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 4684 wrote to memory of 4624	4684	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 4684 wrote to memory of 4624	4684	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 4684 wrote to memory of 4632	4684	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 4684 wrote to memory of 4616	4684	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 4684 wrote to memory of 4616	4684	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 4684 wrote to memory of 4616	4684	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 4684 wrote to memory of 4644	4684	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 4684 wrote to memory of 4644	4684	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 4684 wrote to memory of 4644	4684	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 4684 wrote to memory of 4644	4684	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 4644 wrote to memory of 5036	4644	RegAsm.exe	Host.exe
PID 4644 wrote to memory of 5036	4644	RegAsm.exe	Host.exe
PID 4644 wrote to memory of 5036	4644	RegAsm.exe	Host.exe
PID 4632 wrote to memory of 5052	4632	RegAsm.exe	Host.exe
PID 4632 wrote to memory of 5052	4632	RegAsm.exe	Host.exe
PID 4632 wrote to memory of 5052	4632	RegAsm.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe
"C:\Users\Admin\AppData\Local\Temp\5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4632

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
PID:5052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4644

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
PID:5036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Host.exe.log
Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
memory/4632-137-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4632-133-0x0000000000000000-mapping.dmp

Download
memory/4644-136-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4644-132-0x0000000000000000-mapping.dmp

Download
memory/4684-130-0x0000000000660000-0x00000000006EC000-memory.dmp

Filesize
560KB

Download
memory/4684-134-0x0000000005270000-0x0000000005273000-memory.dmp

Filesize
12KB

Download
memory/4684-131-0x00000000050A0000-0x0000000005132000-memory.dmp

Filesize
584KB

Download
memory/5036-139-0x0000000000000000-mapping.dmp

Download
memory/5052-140-0x0000000000000000-mapping.dmp

Download
memory/5052-143-0x0000000000D60000-0x0000000000D72000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads