netwire | 1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb

General

Target

1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
Size

601KB
MD5

45f82dff24280cccc9774b376f510e76
SHA1

3ba15ca46399bd89a5cbc495eca707fe73d8161a
SHA256

1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb
SHA512

0fe77d88b0b3c36efc4e8e7c53e7696966e6dbca9d376df054f00e283e115accedfdb968364f0aed1835babee49a704b1d62a1621c03900990e50e7557f0574d
SSDEEP

12288:ZGSutAqBePSVM+qryqETBtFBp0gDfYEWhOM95p414sy:ZGSuAqBZZqyqEvFk2YE2OM9fK4s

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

sani990.duckdns.org:5631

admin96.hopto.org:5631

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
THE SAINT
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
hPSXRboY
offline_keylogger
true
password
teamoluwa1
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1148-72-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1148-73-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1148-74-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1148-76-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1148-77-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1148-78-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/1148-81-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1148-84-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1148-85-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Suspicious use of SetThreadContext 1 IoCs

Processes:

1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe

description	pid	process	target process
PID 1960 set thread context of 1148	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1296 schtasks.exe

pid	process
1296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exepowershell.exepowershell.exe

pid	process
1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
1676	powershell.exe
1684	powershell.exe
1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe

description	pid	process	target process
PID 1960 wrote to memory of 1684	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	powershell.exe
PID 1960 wrote to memory of 1684	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	powershell.exe
PID 1960 wrote to memory of 1684	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	powershell.exe
PID 1960 wrote to memory of 1684	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	powershell.exe
PID 1960 wrote to memory of 1676	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	powershell.exe
PID 1960 wrote to memory of 1676	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	powershell.exe
PID 1960 wrote to memory of 1676	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	powershell.exe
PID 1960 wrote to memory of 1676	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	powershell.exe
PID 1960 wrote to memory of 1296	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	schtasks.exe
PID 1960 wrote to memory of 1296	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	schtasks.exe
PID 1960 wrote to memory of 1296	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	schtasks.exe
PID 1960 wrote to memory of 1296	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	schtasks.exe
PID 1960 wrote to memory of 1148	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
PID 1960 wrote to memory of 1148	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
PID 1960 wrote to memory of 1148	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
PID 1960 wrote to memory of 1148	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
PID 1960 wrote to memory of 1148	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
PID 1960 wrote to memory of 1148	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
PID 1960 wrote to memory of 1148	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
PID 1960 wrote to memory of 1148	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
PID 1960 wrote to memory of 1148	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
PID 1960 wrote to memory of 1148	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
PID 1960 wrote to memory of 1148	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
PID 1960 wrote to memory of 1148	1960	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe	1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe

C:\Users\Admin\AppData\Local\Temp\1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
"C:\Users\Admin\AppData\Local\Temp\1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sFgaEoksvaI.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sFgaEoksvaI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5FCD.tmp"
2⤵
- Creates scheduled task(s)
PID:1296

C:\Users\Admin\AppData\Local\Temp\1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe
"C:\Users\Admin\AppData\Local\Temp\1f713a60d7e4ef5df7e03ca7f234b2e667a75174cb4ea93b5e660ac8b95f04eb.exe"
2⤵
PID:1148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5FCD.tmp
Filesize
1KB

MD5
a4d71fa0202c19dc129b118e3cd45142

SHA1
ae93448c9440ad1118e434b9dce8809b336935c9

SHA256
b9bd7f6e6771a6e47b7ef542ded1451a97f0c41fee1651591f7cd5bc19dff605

SHA512
f21e14ff65431283e3e3648fb80b23a47ecf8d9cce5a655303a28f7396706216b8d503f135238ab0f462375dd8dc494c97833bc4c6b3bcb520f3356552dc0d4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
559ecbad89611c0a9951e6a5f53c30af

SHA1
1c2c8645f209b0dc6f3057a7001991d46a2b4973

SHA256
b4ae0f539639a727e5459380feaf33c5a819fab0cf2d6db23eb1b3788b4f6414

SHA512
16d53ec6aefcac38535d1ccb8eb619cae73eb78b84928824ec2a80912c48d6353d92da27529249e064acc37edeff1764a252ef964fe34fdfead3fbe0974ecb59

Download Submit
memory/1148-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-78-0x000000000040242D-mapping.dmp

Download
memory/1148-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1296-62-0x0000000000000000-mapping.dmp

Download
memory/1676-83-0x000000006F190000-0x000000006F73B000-memory.dmp

Filesize
5.7MB

Download
memory/1676-61-0x0000000000000000-mapping.dmp

Download
memory/1684-82-0x000000006F190000-0x000000006F73B000-memory.dmp

Filesize
5.7MB

Download
memory/1684-59-0x0000000000000000-mapping.dmp

Download
memory/1960-56-0x0000000000430000-0x0000000000450000-memory.dmp

Filesize
128KB

Download
memory/1960-54-0x00000000013A0000-0x000000000143C000-memory.dmp

Filesize
624KB

Download
memory/1960-58-0x0000000005A90000-0x0000000005B02000-memory.dmp

Filesize
456KB

Download
memory/1960-66-0x0000000004DF0000-0x0000000004E1E000-memory.dmp

Filesize
184KB

Download
memory/1960-55-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1960-57-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads