netwire | 51d5a73c72f75f984194346b8a9e77fad48059295de86f339c9a092b0d51c9ab

General

Target

dbe65375184221d89d3983a4502e02e7.exe
Size

1.4MB
MD5

dbe65375184221d89d3983a4502e02e7
SHA1

4e52d5d3f90588c948947ca6f52923df78b08e03
SHA256

51d5a73c72f75f984194346b8a9e77fad48059295de86f339c9a092b0d51c9ab
SHA512

4d2ef3317e1b49d469af1751dded625d7961931c98b853e22c6c4e6e33165b7522eac37960896cd7814b0b5df1ae4ffc567017bd52022d639a62e72a09234d62
SSDEEP

24576:OAOcZyFjJrDqL1P9PO/2QXDKt19YhvrpxAD4b4kImp/AwL:0Dr+LjFQTKFkbADWjAM

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:3363

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password@2
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/1808-138-0x0000000000B30000-0x0000000000FFE000-memory.dmp	netwire
behavioral2/memory/1808-139-0x0000000000B3242D-mapping.dmp	netwire
behavioral2/memory/1808-141-0x0000000000B30000-0x0000000000FFE000-memory.dmp	netwire
behavioral2/memory/1808-142-0x0000000000B30000-0x0000000000FFE000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 1 IoCs

pid	Process
916	qxckhjveq.pif

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	dbe65375184221d89d3983a4502e02e7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	qxckhjveq.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\6_99\\QXCKHJ~1.PIF C:\\Users\\Admin\\AppData\\Roaming\\6_99\\dhpdp.pia"	qxckhjveq.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 916 set thread context of 1808	916	qxckhjveq.pif	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 916	4872	dbe65375184221d89d3983a4502e02e7.exe	86
PID 4872 wrote to memory of 916	4872	dbe65375184221d89d3983a4502e02e7.exe	86
PID 4872 wrote to memory of 916	4872	dbe65375184221d89d3983a4502e02e7.exe	86
PID 916 wrote to memory of 1808	916	qxckhjveq.pif	95
PID 916 wrote to memory of 1808	916	qxckhjveq.pif	95
PID 916 wrote to memory of 1808	916	qxckhjveq.pif	95
PID 916 wrote to memory of 1808	916	qxckhjveq.pif	95
PID 916 wrote to memory of 1808	916	qxckhjveq.pif	95

C:\Users\Admin\AppData\Local\Temp\dbe65375184221d89d3983a4502e02e7.exe
"C:\Users\Admin\AppData\Local\Temp\dbe65375184221d89d3983a4502e02e7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Users\Admin\AppData\Roaming\6_99\qxckhjveq.pif
  "C:\Users\Admin\AppData\Roaming\6_99\qxckhjveq.pif" dhpdp.pia
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:1808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6_99\cbmksgkln.jpg

Filesize
60KB

MD5
34092bbdd482bf56117e6979c2498d30

SHA1
3070331bad81feb80805a78b8abe08a3396014de

SHA256
237c89f4899669d717c002d5f903773b679b7b1033cc28269234156b1893e661

SHA512
fd416e472972d3c3b1aeba6bbb4090b3d947da6236796b1ba5b88ecd094895f2c231bdd6fbf0a433d5ba1d5772c9c447f63bd16209a84180306463fc719a7e4b

Download Submit
C:\Users\Admin\AppData\Roaming\6_99\dhpdp.pia

Filesize
217.7MB

MD5
44a64ec438f2884435e55570231c14da

SHA1
126c6e8f1e71eaae3d563b408012bb18b361d8fe

SHA256
05b0bf7ff05b5dc0c472c71ce4a992685a5d48f443f8d6b4e7dcf198a4db2461

SHA512
823f6acf5ce60a16a4a79dfcfbcfe2495d8306d8ea541b7bd91f8a70cecc8f7a2c03c35c58494a3908b060fd1315ff30a7616fd21cc5faf2e4f32f13de527515

Download Submit
C:\Users\Admin\AppData\Roaming\6_99\qxckhjveq.pif

Filesize
1.1MB

MD5
9689a1b6e3bea3d1ea2b948587bbc636

SHA1
1d65147237d3734cd490f2945fde0ee3e8fa086c

SHA256
669825e275a3bce730edbeb4640e716fe95e9705a45a03d776e7084612045901

SHA512
d5ef1dec3ea0e14dae6777959790a902c46e646308a0f0e46fde875142f982c846a225c682fec11f78f37b0d935bcce5fbf0b5513840cf0063cf23e9ca86431f

Download Submit
C:\Users\Admin\AppData\Roaming\6_99\qxckhjveq.pif

Filesize
1.1MB

MD5
9689a1b6e3bea3d1ea2b948587bbc636

SHA1
1d65147237d3734cd490f2945fde0ee3e8fa086c

SHA256
669825e275a3bce730edbeb4640e716fe95e9705a45a03d776e7084612045901

SHA512
d5ef1dec3ea0e14dae6777959790a902c46e646308a0f0e46fde875142f982c846a225c682fec11f78f37b0d935bcce5fbf0b5513840cf0063cf23e9ca86431f

Download Submit
C:\Users\Admin\AppData\Roaming\6_99\unffx.iem

Filesize
323KB

MD5
a285a4205ca4b8e6696783f2ad4feacc

SHA1
43ab464506a9c7bd1c5699d8f9af6c36c5d9214d

SHA256
c0e017a288a1a4ad270dbf43f594bce901cf8204960a2d25b755a4ae526e1c64

SHA512
d7d63fa506422af23ac22eb06ab8406ad527060c0b91a99da2c3ce06a4f0192666cd862e42e0eb3fa4cf0ba428d0a823609bb62cef26d257173d2060332d44c5

Download Submit
memory/1808-138-0x0000000000B30000-0x0000000000FFE000-memory.dmp

Filesize
4.8MB

Download
memory/1808-141-0x0000000000B30000-0x0000000000FFE000-memory.dmp

Filesize
4.8MB

Download
memory/1808-142-0x0000000000B30000-0x0000000000FFE000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing