netwire | c51d215d3a71748dbcfe7310102a4b9e8864f3cfdb01bf0dacab5df203b37428

General

Target

Request Quote_PDF.js
Size

413KB
MD5

f0ab774a3a85bb6878897c641104ff70
SHA1

898701732283a90632ece16e47f8e0a5efef3ae8
SHA256

c51d215d3a71748dbcfe7310102a4b9e8864f3cfdb01bf0dacab5df203b37428
SHA512

3c4081ef491f9b6852d292212f87139352ea8163cb115f2af9d6c9ba56bdc9b4647ca82bbafccdadd453fce51c2e5b4953310310a45a795a8a9add9d399c2037
SSDEEP

6144:hYfG+JJ9zEqXmDkDoDb1B/l0NUDm3G6UuRHKe06kZXYGXbLVALXCuU:hYuc3DoDb1hGNUL6U+H1UVh

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe	netwire
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe	netwire
\Users\Admin\AppData\Roaming\Gooogle\Note.exe	netwire
\Users\Admin\AppData\Roaming\Gooogle\Note.exe	netwire
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe	netwire
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe	netwire
\Users\Admin\AppData\Roaming\Gooogle\Note.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host Ip 185.216.71.251.exeNote.exe

pid process

1072 Host Ip 185.216.71.251.exe
1548 Note.exe
Drops startup file 1 IoCs

Processes:

Note.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk Note.exe
Loads dropped DLL 3 IoCs

Processes:

Host Ip 185.216.71.251.exeNote.exe

pid process

1072 Host Ip 185.216.71.251.exe
1072 Host Ip 185.216.71.251.exe
1548 Note.exe

pid	process
1072	Host Ip 185.216.71.251.exe
1548	Note.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk	Note.exe

pid	process
1072	Host Ip 185.216.71.251.exe
1072	Host Ip 185.216.71.251.exe
1548	Note.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Note.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Note.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\)Ô‡OûPN»t@÷áh = "C:\\Users\\Admin\\AppData\\Roaming\\Gooogle\\Note.exe"	Note.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

wscript.exeHost Ip 185.216.71.251.exe

description	pid	process	target process
PID 1632 wrote to memory of 2036	1632	wscript.exe	wscript.exe
PID 1632 wrote to memory of 2036	1632	wscript.exe	wscript.exe
PID 1632 wrote to memory of 2036	1632	wscript.exe	wscript.exe
PID 1632 wrote to memory of 1072	1632	wscript.exe	Host Ip 185.216.71.251.exe
PID 1632 wrote to memory of 1072	1632	wscript.exe	Host Ip 185.216.71.251.exe
PID 1632 wrote to memory of 1072	1632	wscript.exe	Host Ip 185.216.71.251.exe
PID 1632 wrote to memory of 1072	1632	wscript.exe	Host Ip 185.216.71.251.exe
PID 1072 wrote to memory of 1548	1072	Host Ip 185.216.71.251.exe	Note.exe
PID 1072 wrote to memory of 1548	1072	Host Ip 185.216.71.251.exe	Note.exe
PID 1072 wrote to memory of 1548	1072	Host Ip 185.216.71.251.exe	Note.exe
PID 1072 wrote to memory of 1548	1072	Host Ip 185.216.71.251.exe	Note.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request Quote_PDF.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\zlSPOzqHVD.js"
2⤵
PID:2036

C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe
"C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
"C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
C:\Users\Admin\AppData\Roaming\zlSPOzqHVD.js
Filesize
2KB

MD5
a02dd89da5bffe363a6c3bccf25619ee

SHA1
fd3f170c60b5ec72007988a32a2294bdc45727be

SHA256
8022b0fc6e1d7d9b109956549dadcba98d6ab3f192232ff8ae76777423a4b472

SHA512
06056ba15f853ebc627e884f2eff4e1d0847e797b92d8ac6d3a24fbcaaef818ef875ed3dd8757276a8bf980c9b51092bb6267d79f73f879e66b4295d591a9cdf

Download Submit
\Users\Admin\AppData\Roaming\Gooogle\Note.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
\Users\Admin\AppData\Roaming\Gooogle\Note.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
\Users\Admin\AppData\Roaming\Gooogle\Note.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
memory/1072-59-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1072-57-0x0000000000000000-mapping.dmp

Download
memory/1548-63-0x0000000000000000-mapping.dmp

Download
memory/1632-54-0x000007FEFC611000-0x000007FEFC613000-memory.dmp

Filesize
8KB

Download
memory/2036-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads