netwire | dea08975e4dfcf09c0a223ce08f787cfc0eeaba0ac6f692b3f4c10b7d1cce5d6

General

Target

SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe
Size

747KB
MD5

b29d638c6a95f694c8310297d7ac64ac
SHA1

ec8b0482dc73f20c05e4b8f41150467f2633abff
SHA256

dea08975e4dfcf09c0a223ce08f787cfc0eeaba0ac6f692b3f4c10b7d1cce5d6
SHA512

a43f3c282c34d261b3563f7106faeb41d218f4e2bd08109de480e79f7751988dc25573a169919dea738f11974b36f6cff09af1c373aa937c74ae60bfdf33692f
SSDEEP

12288:Nnuq00F75eq2a+ypPL2pcznVCPKhma8yMuj5fd+MZMaGwqnP8oi+Aw5sDxmQNe4:FXZ5B7ZtzVeKhm1yZj5FNE

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:3345

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password@9
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1992-69-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1992-70-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1992-74-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1992-75-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/1992-73-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1992-71-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1992-78-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1992-80-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe

description	pid	process	target process
PID 1112 set thread context of 1992	1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2032 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1996 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1996 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe

pid process

1112 SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe
1112 SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe

pid	process
2032	schtasks.exe

pid	process
1996	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1996	powershell.exe

pid	process
1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe
1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mXkIjeFuzqllsq.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mXkIjeFuzqllsq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB617.tmp"
2⤵
- Creates scheduled task(s)
PID:2032

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe"
2⤵
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB617.tmp
Filesize
1KB

MD5
f1d7de775a4cb156964df43410ba662e

SHA1
9e6ca9c5c03018c06ac06acb7cc41073ddf247a3

SHA256
9c8d71b9158d4d1045de5585a3a1f4853c21648bf5a3633c62417cd09cc87d30

SHA512
b5bf2152da9c862071aeed6f69686edaf06c666e7d4362cb3de5f6dbb3c8e2777ed0379b07812fd5c20bfc038f1e85e4784e43186006c850c9db71c65a1c7e35

Download Submit
memory/1112-55-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/1112-56-0x0000000000540000-0x0000000000558000-memory.dmp

Filesize
96KB

Download
memory/1112-57-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/1112-58-0x0000000007BC0000-0x0000000007C4E000-memory.dmp

Filesize
568KB

Download
memory/1112-54-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/1112-63-0x0000000007330000-0x0000000007366000-memory.dmp

Filesize
216KB

Download
memory/1992-75-0x000000000040242D-mapping.dmp

Download
memory/1992-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-78-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-59-0x0000000000000000-mapping.dmp

Download
memory/1996-79-0x000000006E3D0000-0x000000006E97B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-81-0x000000006E3D0000-0x000000006E97B000-memory.dmp

Filesize
5.7MB

Download
memory/2032-60-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1112 wrote to memory of 1996	1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe	powershell.exe
PID 1112 wrote to memory of 1996	1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe	powershell.exe
PID 1112 wrote to memory of 1996	1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe	powershell.exe
PID 1112 wrote to memory of 1996	1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe	powershell.exe
PID 1112 wrote to memory of 2032	1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe	schtasks.exe
PID 1112 wrote to memory of 2032	1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe	schtasks.exe
PID 1112 wrote to memory of 2032	1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe	schtasks.exe
PID 1112 wrote to memory of 2032	1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe	schtasks.exe
PID 1112 wrote to memory of 1992	1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe
PID 1112 wrote to memory of 1992	1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe
PID 1112 wrote to memory of 1992	1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe
PID 1112 wrote to memory of 1992	1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe
PID 1112 wrote to memory of 1992	1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe
PID 1112 wrote to memory of 1992	1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe
PID 1112 wrote to memory of 1992	1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe
PID 1112 wrote to memory of 1992	1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe
PID 1112 wrote to memory of 1992	1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe
PID 1112 wrote to memory of 1992	1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe
PID 1112 wrote to memory of 1992	1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe
PID 1112 wrote to memory of 1992	1112	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe	SecuriteInfo.com.W32.AIDetectNet.01.10591.8832.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads