netwire | ff2e6769db544063dcdcae55887971681a32e21c7a468eae2375971d5c5ee36c

General

Target

Boat Payment _PDF .js
Size

413KB
MD5

440e7b02be54dea36dc1e4d3c74d6588
SHA1

27c1511dda1e07dc181b99a270d70694b24aa12e
SHA256

ff2e6769db544063dcdcae55887971681a32e21c7a468eae2375971d5c5ee36c
SHA512

8986f8dcc2daa88e8c78973f767aa98be7ecf3457f4d9c8e3cedb69aee831b5c0a3cb5ce54067a1ebe72ce8ec9d1f9da90694abb74089cd954deebcee4eccbe2
SSDEEP

6144:C1YSEPt0WHnHp0I2hHo9KUusuNv1p0Y8JLHFjnaW2x5t4SxZY:C1YSpWHKI9Kcwv1p+JLHFzaWeHbY

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe	netwire
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe	netwire
\Users\Admin\AppData\Roaming\Gooogle\Note.exe	netwire
\Users\Admin\AppData\Roaming\Gooogle\Note.exe	netwire
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe	netwire
\Users\Admin\AppData\Roaming\Gooogle\Note.exe	netwire
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host Ip 185.216.71.251.exeNote.exe

pid process

1116 Host Ip 185.216.71.251.exe
1956 Note.exe
Drops startup file 1 IoCs

Processes:

Note.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk Note.exe
Loads dropped DLL 3 IoCs

Processes:

Host Ip 185.216.71.251.exeNote.exe

pid process

1116 Host Ip 185.216.71.251.exe
1116 Host Ip 185.216.71.251.exe
1956 Note.exe

pid	process
1116	Host Ip 185.216.71.251.exe
1956	Note.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk	Note.exe

pid	process
1116	Host Ip 185.216.71.251.exe
1116	Host Ip 185.216.71.251.exe
1956	Note.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Note.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Note.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\)Ô‡OûPN»t@÷áh = "C:\\Users\\Admin\\AppData\\Roaming\\Gooogle\\Note.exe"	Note.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

wscript.exeHost Ip 185.216.71.251.exe

description	pid	process	target process
PID 1168 wrote to memory of 1356	1168	wscript.exe	wscript.exe
PID 1168 wrote to memory of 1356	1168	wscript.exe	wscript.exe
PID 1168 wrote to memory of 1356	1168	wscript.exe	wscript.exe
PID 1168 wrote to memory of 1116	1168	wscript.exe	Host Ip 185.216.71.251.exe
PID 1168 wrote to memory of 1116	1168	wscript.exe	Host Ip 185.216.71.251.exe
PID 1168 wrote to memory of 1116	1168	wscript.exe	Host Ip 185.216.71.251.exe
PID 1168 wrote to memory of 1116	1168	wscript.exe	Host Ip 185.216.71.251.exe
PID 1116 wrote to memory of 1956	1116	Host Ip 185.216.71.251.exe	Note.exe
PID 1116 wrote to memory of 1956	1116	Host Ip 185.216.71.251.exe	Note.exe
PID 1116 wrote to memory of 1956	1116	Host Ip 185.216.71.251.exe	Note.exe
PID 1116 wrote to memory of 1956	1116	Host Ip 185.216.71.251.exe	Note.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Boat Payment _PDF .js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FLyVAXBmCl.js"
2⤵
PID:1356

C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe
"C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
"C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FLyVAXBmCl.js
Filesize
2KB

MD5
03fb27f948516898cddf9f37c560bdba

SHA1
e458fd85cb0d667cbf3319a56dcce21053788b9b

SHA256
fbb4f847e669f9154306792b1e977e5534475863c6a4520db89cb0644fe3d95c

SHA512
318b80684314b6996c52d97c9716ef894079fcaf6aa41db317f5d5cce0e610a20e9f9bacc481bb7afcfece77347dbfa5967c873ae1ee9baf62c42060b2ea623c

Download Submit
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
C:\Users\Admin\AppData\Roaming\Host Ip 185.216.71.251.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
\Users\Admin\AppData\Roaming\Gooogle\Note.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
\Users\Admin\AppData\Roaming\Gooogle\Note.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
\Users\Admin\AppData\Roaming\Gooogle\Note.exe
Filesize
227KB

MD5
a8edd52c5edfe91da90ebee24b51d3c6

SHA1
fc36350b93c6974865eaa7f00a98fa281d1ff7fd

SHA256
35d0bbb6787ae3fb3e155f2eaad36e5f4bb5255e7bb95b759790cc3cc048839d

SHA512
97278bb3967c6ec10d221820d0d50d3582e6fd3975318c882efbecc6b87bfc83f9f58d927e81ecb95ea8a510929591834a27a23e56dc38e8d091f95f9a31ca14

Download Submit
memory/1116-59-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download
memory/1116-57-0x0000000000000000-mapping.dmp

Download
memory/1168-54-0x000007FEFC341000-0x000007FEFC343000-memory.dmp

Filesize
8KB

Download
memory/1356-55-0x0000000000000000-mapping.dmp

Download
memory/1956-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads