netwire | 883a1fb015a99ca444237d8d48187d9cca44ed7daa3dfe0c21836fb207047c7a

General

Target

Quote_PDF.js
Size

417KB
MD5

10ea52784165e94c2b8d62029f47fc2f
SHA1

9f3d0e42cbe82beeb4a467b78d612ce89fddfa41
SHA256

883a1fb015a99ca444237d8d48187d9cca44ed7daa3dfe0c21836fb207047c7a
SHA512

6f9e9f4136fedf90bd836abaf2cf51c67b822509f01b9d8a19fabcd327a190324e25ece949f4c5a2408648b2214c1a5ee3f0a6e98d4b14f405f6d29d97b096f5
SSDEEP

6144:hN8ML4yxnebd6j+IjhS6EzYYosOquA4nfuqQiWYl69Sjrh54:nL40yIjNQYYoWuA4nWqQK6ut54

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe	netwire
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe	netwire
\Users\Admin\AppData\Roaming\Gooogle\Note.exe	netwire
\Users\Admin\AppData\Roaming\Gooogle\Note.exe	netwire
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe	netwire
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe	netwire
\Users\Admin\AppData\Roaming\Gooogle\Note.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host Ip 185.216.71.251.exeNote.exe

pid process

856 Host Ip 185.216.71.251.exe
516 Note.exe
Drops startup file 1 IoCs

Processes:

Note.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk Note.exe
Loads dropped DLL 3 IoCs

Processes:

Host Ip 185.216.71.251.exeNote.exe

pid process

856 Host Ip 185.216.71.251.exe
856 Host Ip 185.216.71.251.exe
516 Note.exe

pid	process
856	Host Ip 185.216.71.251.exe
516	Note.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk	Note.exe

pid	process
856	Host Ip 185.216.71.251.exe
856	Host Ip 185.216.71.251.exe
516	Note.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Note.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Note.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\)Ô‡OûPN»t@÷áh = "C:\\Users\\Admin\\AppData\\Roaming\\Gooogle\\Note.exe"	Note.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

wscript.exeHost Ip 185.216.71.251.exe

description	pid	process	target process
PID 1104 wrote to memory of 1640	1104	wscript.exe	wscript.exe
PID 1104 wrote to memory of 1640	1104	wscript.exe	wscript.exe
PID 1104 wrote to memory of 1640	1104	wscript.exe	wscript.exe
PID 1104 wrote to memory of 856	1104	wscript.exe	Host Ip 185.216.71.251.exe
PID 1104 wrote to memory of 856	1104	wscript.exe	Host Ip 185.216.71.251.exe
PID 1104 wrote to memory of 856	1104	wscript.exe	Host Ip 185.216.71.251.exe
PID 1104 wrote to memory of 856	1104	wscript.exe	Host Ip 185.216.71.251.exe
PID 856 wrote to memory of 516	856	Host Ip 185.216.71.251.exe	Note.exe
PID 856 wrote to memory of 516	856	Host Ip 185.216.71.251.exe	Note.exe
PID 856 wrote to memory of 516	856	Host Ip 185.216.71.251.exe	Note.exe
PID 856 wrote to memory of 516	856	Host Ip 185.216.71.251.exe	Note.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Quote_PDF.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\jYFftRlXJm.js"
2⤵
PID:1640

C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe
"C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
"C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
PID:516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
C:\Users\Admin\AppData\Roaming\jYFftRlXJm.js
Filesize
2KB

MD5
0c4a6227be19f00194b85c415692ba2d

SHA1
0b27682637636a1dff71247558bb852128c1e90e

SHA256
972dd28bf03d9c4437b9b2d0c13563a039b44386c43c1adc2bc23e29bb7f7d06

SHA512
2799ee01736f214e20d645c1e06a9cbcc2da84db53c683e6bd1978c1d3bff7df2d0f64236298e18a164b88796eed6fc258987a84df16f3969241307d89bbd87d

Download Submit
\Users\Admin\AppData\Roaming\Gooogle\Note.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
\Users\Admin\AppData\Roaming\Gooogle\Note.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
\Users\Admin\AppData\Roaming\Gooogle\Note.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
memory/516-63-0x0000000000000000-mapping.dmp

Download
memory/856-59-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/856-57-0x0000000000000000-mapping.dmp

Download
memory/1104-54-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download
memory/1640-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads