netwire | c1a1607c8471e135ad234c5ac04519b62225604f2c29bbdf8a93f451dd12304e

General

Target

Payment_PDF.js
Size

413KB
MD5

e73b5a8013d9a3e9d23ccc801360710e
SHA1

71af99e6cdc182af193072bf1ccae44d4d35763a
SHA256

c1a1607c8471e135ad234c5ac04519b62225604f2c29bbdf8a93f451dd12304e
SHA512

b8593e89b9eac381738ec90d1749e9f785cecb405eb8f0aca6023b0b9df83e329dbfb379323187afd5f0e46d5b7855971d4303a47909c227a18f3ccd1fda33fe
SSDEEP

6144:xigBqQHVy7zWgwA1ypzgcOsaDOguPM6MuhTVJ/KBk+pKLlvbAh2xu5:xiGrG1ypzgdFDOM6M+TLrfS

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe	netwire
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe	netwire
\Users\Admin\AppData\Roaming\Gooogle\Note.exe	netwire
\Users\Admin\AppData\Roaming\Gooogle\Note.exe	netwire
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe	netwire
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe	netwire
\Users\Admin\AppData\Roaming\Gooogle\Note.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host Ip 185.216.71.251.exeNote.exe

pid process

944 Host Ip 185.216.71.251.exe
912 Note.exe
Drops startup file 1 IoCs

Processes:

Note.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk Note.exe
Loads dropped DLL 3 IoCs

Processes:

Host Ip 185.216.71.251.exeNote.exe

pid process

944 Host Ip 185.216.71.251.exe
944 Host Ip 185.216.71.251.exe
912 Note.exe

pid	process
944	Host Ip 185.216.71.251.exe
912	Note.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk	Note.exe

pid	process
944	Host Ip 185.216.71.251.exe
944	Host Ip 185.216.71.251.exe
912	Note.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Note.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Note.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\)Ô‡OûPN»t@÷áh = "C:\\Users\\Admin\\AppData\\Roaming\\Gooogle\\Note.exe"	Note.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

wscript.exeHost Ip 185.216.71.251.exe

description	pid	process	target process
PID 112 wrote to memory of 1196	112	wscript.exe	wscript.exe
PID 112 wrote to memory of 1196	112	wscript.exe	wscript.exe
PID 112 wrote to memory of 1196	112	wscript.exe	wscript.exe
PID 112 wrote to memory of 944	112	wscript.exe	Host Ip 185.216.71.251.exe
PID 112 wrote to memory of 944	112	wscript.exe	Host Ip 185.216.71.251.exe
PID 112 wrote to memory of 944	112	wscript.exe	Host Ip 185.216.71.251.exe
PID 112 wrote to memory of 944	112	wscript.exe	Host Ip 185.216.71.251.exe
PID 944 wrote to memory of 912	944	Host Ip 185.216.71.251.exe	Note.exe
PID 944 wrote to memory of 912	944	Host Ip 185.216.71.251.exe	Note.exe
PID 944 wrote to memory of 912	944	Host Ip 185.216.71.251.exe	Note.exe
PID 944 wrote to memory of 912	944	Host Ip 185.216.71.251.exe	Note.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Payment_PDF.js
1⤵
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\oxzCqvVlSa.js"
2⤵
PID:1196

C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe
"C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
"C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
PID:912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
C:\Users\Admin\AppData\Roaming\oxzCqvVlSa.js
Filesize
2KB

MD5
29b681188f244157da1f2aeaad0f2a54

SHA1
0f1707a44b5b1667eae03a0612512046b7154e09

SHA256
58975ae344dcd7129a5c308f3dc70f83b40e0645ced49dbf8ffebbfcec2e6669

SHA512
e0e77d025de3c8529cabe745a4339e35e6e68ce95004f63529a1d2f1409be7ee4d82adfc1fb175cf56ae460b1936a5b73eec8ff030861e4e60c2d473425e940a

Download Submit
\Users\Admin\AppData\Roaming\Gooogle\Note.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
\Users\Admin\AppData\Roaming\Gooogle\Note.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
\Users\Admin\AppData\Roaming\Gooogle\Note.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
memory/112-54-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download
memory/912-63-0x0000000000000000-mapping.dmp

Download
memory/944-59-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/944-57-0x0000000000000000-mapping.dmp

Download
memory/1196-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads