netwire | 30f0b1b4f04adbac7201528c1fa4a1e78f41e243b1da2332d57e662448282155

General

Target

91f5a7d8b8ba508f8e6999e7ddb8e902.exe
Size

749KB
MD5

91f5a7d8b8ba508f8e6999e7ddb8e902
SHA1

3aae5bd6075319c5ff54279c3d5ebfd9ec8d4c59
SHA256

30f0b1b4f04adbac7201528c1fa4a1e78f41e243b1da2332d57e662448282155
SHA512

0391ee953d85455365c110a537ddcdb40d9060ba630329f6c10eb012e78af2d16426367c496a013fdca00d01b2c044768bca6a7a7e9002caaa8d95cbb950da27

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

37.0.14.206:3384

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
offline_keylogger
true
password
Password234
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3280-144-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3280-146-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3280-147-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3148-175-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3148-177-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

Host.exeHost.exeHost.exe

pid process

1392 Host.exe
1080 Host.exe
3148 Host.exe

pid	process
1392	Host.exe
1080	Host.exe
3148	Host.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

91f5a7d8b8ba508f8e6999e7ddb8e902.exe91f5a7d8b8ba508f8e6999e7ddb8e902.exeHost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

91f5a7d8b8ba508f8e6999e7ddb8e902.exeHost.exe

description	pid	process	target process
PID 4936 set thread context of 3280	4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 1392 set thread context of 3148	1392	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

176 schtasks.exe
1732 schtasks.exe

pid	process
176	schtasks.exe
1732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

91f5a7d8b8ba508f8e6999e7ddb8e902.exepowershell.exeHost.exepowershell.exe

pid	process
4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
3448	powershell.exe
3448	powershell.exe
1392	Host.exe
1392	Host.exe
1392	Host.exe
1748	powershell.exe
1392	Host.exe
1748	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

91f5a7d8b8ba508f8e6999e7ddb8e902.exepowershell.exeHost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
Token: SeDebugPrivilege	3448	powershell.exe
Token: SeDebugPrivilege	1392	Host.exe
Token: SeDebugPrivilege	1748	powershell.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

91f5a7d8b8ba508f8e6999e7ddb8e902.exe91f5a7d8b8ba508f8e6999e7ddb8e902.exeHost.exe

description	pid	process	target process
PID 4936 wrote to memory of 3448	4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	powershell.exe
PID 4936 wrote to memory of 3448	4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	powershell.exe
PID 4936 wrote to memory of 3448	4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	powershell.exe
PID 4936 wrote to memory of 176	4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	schtasks.exe
PID 4936 wrote to memory of 176	4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	schtasks.exe
PID 4936 wrote to memory of 176	4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	schtasks.exe
PID 4936 wrote to memory of 3280	4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 4936 wrote to memory of 3280	4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 4936 wrote to memory of 3280	4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 4936 wrote to memory of 3280	4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 4936 wrote to memory of 3280	4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 4936 wrote to memory of 3280	4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 4936 wrote to memory of 3280	4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 4936 wrote to memory of 3280	4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 4936 wrote to memory of 3280	4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 4936 wrote to memory of 3280	4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 4936 wrote to memory of 3280	4936	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 3280 wrote to memory of 1392	3280	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	Host.exe
PID 3280 wrote to memory of 1392	3280	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	Host.exe
PID 3280 wrote to memory of 1392	3280	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	Host.exe
PID 1392 wrote to memory of 1748	1392	Host.exe	powershell.exe
PID 1392 wrote to memory of 1748	1392	Host.exe	powershell.exe
PID 1392 wrote to memory of 1748	1392	Host.exe	powershell.exe
PID 1392 wrote to memory of 1732	1392	Host.exe	schtasks.exe
PID 1392 wrote to memory of 1732	1392	Host.exe	schtasks.exe
PID 1392 wrote to memory of 1732	1392	Host.exe	schtasks.exe
PID 1392 wrote to memory of 1080	1392	Host.exe	Host.exe
PID 1392 wrote to memory of 1080	1392	Host.exe	Host.exe
PID 1392 wrote to memory of 1080	1392	Host.exe	Host.exe
PID 1392 wrote to memory of 3148	1392	Host.exe	Host.exe
PID 1392 wrote to memory of 3148	1392	Host.exe	Host.exe
PID 1392 wrote to memory of 3148	1392	Host.exe	Host.exe
PID 1392 wrote to memory of 3148	1392	Host.exe	Host.exe
PID 1392 wrote to memory of 3148	1392	Host.exe	Host.exe
PID 1392 wrote to memory of 3148	1392	Host.exe	Host.exe
PID 1392 wrote to memory of 3148	1392	Host.exe	Host.exe
PID 1392 wrote to memory of 3148	1392	Host.exe	Host.exe
PID 1392 wrote to memory of 3148	1392	Host.exe	Host.exe
PID 1392 wrote to memory of 3148	1392	Host.exe	Host.exe
PID 1392 wrote to memory of 3148	1392	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\91f5a7d8b8ba508f8e6999e7ddb8e902.exe
"C:\Users\Admin\AppData\Local\Temp\91f5a7d8b8ba508f8e6999e7ddb8e902.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fBPIygOi.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fBPIygOi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5FCA.tmp"
2⤵
- Creates scheduled task(s)
PID:176

C:\Users\Admin\AppData\Local\Temp\91f5a7d8b8ba508f8e6999e7ddb8e902.exe
"C:\Users\Admin\AppData\Local\Temp\91f5a7d8b8ba508f8e6999e7ddb8e902.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3280

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fBPIygOi.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fBPIygOi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1E38.tmp"
4⤵
- Creates scheduled task(s)
PID:1732

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
PID:1080

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
PID:3148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
d231193852c9481ec41aa0e16ab2be03

SHA1
3d9996acf1a821ddec4c7f235774c4a5e01bd10b

SHA256
e434574bac7e2f00935df92f73bbbc9874c4b416afc1fad532a1bd76c9f8e47d

SHA512
16c5502d41defd2dd144fea3968a11a6976fef0f9b09726e49a4374b57dc586fe88acdd50e131c5ebed5c7110875ad129f2bfc897fb05dd164a568624c1944e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E38.tmp
Filesize
1KB

MD5
96dfea903d29c1335c58f779c54f61ef

SHA1
9a1587b5c93e63a6a96cf12ee8fd6c448853df44

SHA256
c610a1d428747ff0735b46a97207a305f6556bfcd5dd9d83e33c68fb55b5dad4

SHA512
b040b1014682b72fdc81a9847e0a87ad9192350768da4c75bf8496fe2b1fcaff1466e680482ace1332ecdebfa4d78ab425d302e04efc08b27e22a45bdbd7b23c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5FCA.tmp
Filesize
1KB

MD5
96dfea903d29c1335c58f779c54f61ef

SHA1
9a1587b5c93e63a6a96cf12ee8fd6c448853df44

SHA256
c610a1d428747ff0735b46a97207a305f6556bfcd5dd9d83e33c68fb55b5dad4

SHA512
b040b1014682b72fdc81a9847e0a87ad9192350768da4c75bf8496fe2b1fcaff1466e680482ace1332ecdebfa4d78ab425d302e04efc08b27e22a45bdbd7b23c

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
749KB

MD5
91f5a7d8b8ba508f8e6999e7ddb8e902

SHA1
3aae5bd6075319c5ff54279c3d5ebfd9ec8d4c59

SHA256
30f0b1b4f04adbac7201528c1fa4a1e78f41e243b1da2332d57e662448282155

SHA512
0391ee953d85455365c110a537ddcdb40d9060ba630329f6c10eb012e78af2d16426367c496a013fdca00d01b2c044768bca6a7a7e9002caaa8d95cbb950da27

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
749KB

MD5
91f5a7d8b8ba508f8e6999e7ddb8e902

SHA1
3aae5bd6075319c5ff54279c3d5ebfd9ec8d4c59

SHA256
30f0b1b4f04adbac7201528c1fa4a1e78f41e243b1da2332d57e662448282155

SHA512
0391ee953d85455365c110a537ddcdb40d9060ba630329f6c10eb012e78af2d16426367c496a013fdca00d01b2c044768bca6a7a7e9002caaa8d95cbb950da27

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
749KB

MD5
91f5a7d8b8ba508f8e6999e7ddb8e902

SHA1
3aae5bd6075319c5ff54279c3d5ebfd9ec8d4c59

SHA256
30f0b1b4f04adbac7201528c1fa4a1e78f41e243b1da2332d57e662448282155

SHA512
0391ee953d85455365c110a537ddcdb40d9060ba630329f6c10eb012e78af2d16426367c496a013fdca00d01b2c044768bca6a7a7e9002caaa8d95cbb950da27

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
749KB

MD5
91f5a7d8b8ba508f8e6999e7ddb8e902

SHA1
3aae5bd6075319c5ff54279c3d5ebfd9ec8d4c59

SHA256
30f0b1b4f04adbac7201528c1fa4a1e78f41e243b1da2332d57e662448282155

SHA512
0391ee953d85455365c110a537ddcdb40d9060ba630329f6c10eb012e78af2d16426367c496a013fdca00d01b2c044768bca6a7a7e9002caaa8d95cbb950da27

Download Submit
memory/176-140-0x0000000000000000-mapping.dmp

Download
memory/1080-169-0x0000000000000000-mapping.dmp

Download
memory/1392-149-0x0000000000000000-mapping.dmp

Download
memory/1732-166-0x0000000000000000-mapping.dmp

Download
memory/1748-165-0x0000000000000000-mapping.dmp

Download
memory/1748-178-0x0000000071A40000-0x0000000071A8C000-memory.dmp

Filesize
304KB

Download
memory/3148-171-0x0000000000000000-mapping.dmp

Download
memory/3148-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-143-0x0000000000000000-mapping.dmp

Download
memory/3280-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-154-0x0000000006810000-0x000000000682E000-memory.dmp

Filesize
120KB

Download
memory/3448-139-0x0000000000000000-mapping.dmp

Download
memory/3448-157-0x0000000006D80000-0x0000000006D9E000-memory.dmp

Filesize
120KB

Download
memory/3448-158-0x0000000008100000-0x000000000877A000-memory.dmp

Filesize
6.5MB

Download
memory/3448-159-0x0000000007AB0000-0x0000000007ACA000-memory.dmp

Filesize
104KB

Download
memory/3448-160-0x0000000007B20000-0x0000000007B2A000-memory.dmp

Filesize
40KB

Download
memory/3448-161-0x0000000007DB0000-0x0000000007E46000-memory.dmp

Filesize
600KB

Download
memory/3448-162-0x0000000007D60000-0x0000000007D6E000-memory.dmp

Filesize
56KB

Download
memory/3448-163-0x0000000007E70000-0x0000000007E8A000-memory.dmp

Filesize
104KB

Download
memory/3448-164-0x0000000007E50000-0x0000000007E58000-memory.dmp

Filesize
32KB

Download
memory/3448-155-0x0000000006D40000-0x0000000006D72000-memory.dmp

Filesize
200KB

Download
memory/3448-156-0x0000000070A60000-0x0000000070AAC000-memory.dmp

Filesize
304KB

Download
memory/3448-153-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/3448-152-0x00000000056D0000-0x00000000056F2000-memory.dmp

Filesize
136KB

Download
memory/3448-148-0x0000000005880000-0x0000000005EA8000-memory.dmp

Filesize
6.2MB

Download
memory/3448-141-0x0000000005210000-0x0000000005246000-memory.dmp

Filesize
216KB

Download
memory/4936-133-0x0000000000B00000-0x0000000000BC2000-memory.dmp

Filesize
776KB

Download
memory/4936-138-0x000000000BA90000-0x000000000BAF6000-memory.dmp

Filesize
408KB

Download
memory/4936-137-0x000000000B9F0000-0x000000000BA8C000-memory.dmp

Filesize
624KB

Download
memory/4936-136-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/4936-135-0x00000000055C0000-0x0000000005652000-memory.dmp

Filesize
584KB

Download
memory/4936-134-0x0000000005AD0000-0x0000000006074000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads