netwire | c43c2232e4c6cf97b7bd145ab5a72c8d5c408c77b7a56725160c192a6f6434a3

General

Target

invoice_7833.exe
Size

1.2MB
MD5

2bb20b6123c38e8980b9f92e9a16f957
SHA1

3097deacf4adcdb35d8cb9d726cdf9f62efeaca6
SHA256

c43c2232e4c6cf97b7bd145ab5a72c8d5c408c77b7a56725160c192a6f6434a3
SHA512

f402382f7d5802130c6db3ada51678304b4d51558dacbfcd4237012153b2e66f88d525f6c23383a7792a2d70daab5cd8117c8347c85d34eabbd37d222b3879d4
SSDEEP

24576:5AOcZgAgB9ZkeKEptML955rCmtMyGpLAWDXxo8FVCaWXZWcVX:zTAgBgApyLseZG/VokCp79

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:3345

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password@9
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1472-138-0x0000000001000000-0x00000000015FB000-memory.dmp	netwire
behavioral2/memory/1472-139-0x000000000100242D-mapping.dmp	netwire
behavioral2/memory/1472-142-0x0000000001000000-0x00000000015FB000-memory.dmp	netwire
behavioral2/memory/1472-143-0x0000000001000000-0x00000000015FB000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

btlawc.pifRegSvcs.exe

pid process

2716 btlawc.pif
1472 RegSvcs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

invoice_7833.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	invoice_7833.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

btlawc.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	btlawc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8_410\\btlawc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\8_410\\RVKJVX~1.ADO"	btlawc.pif

Suspicious use of SetThreadContext 1 IoCs

Processes:

btlawc.pif

description pid process target process

PID 2716 set thread context of 1472 2716 btlawc.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2716 set thread context of 1472	2716	btlawc.pif	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

btlawc.pif

pid	process
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif
2716	btlawc.pif

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

invoice_7833.exebtlawc.pif

description	pid	process	target process
PID 3780 wrote to memory of 2716	3780	invoice_7833.exe	btlawc.pif
PID 3780 wrote to memory of 2716	3780	invoice_7833.exe	btlawc.pif
PID 3780 wrote to memory of 2716	3780	invoice_7833.exe	btlawc.pif
PID 2716 wrote to memory of 1472	2716	btlawc.pif	RegSvcs.exe
PID 2716 wrote to memory of 1472	2716	btlawc.pif	RegSvcs.exe
PID 2716 wrote to memory of 1472	2716	btlawc.pif	RegSvcs.exe
PID 2716 wrote to memory of 1472	2716	btlawc.pif	RegSvcs.exe
PID 2716 wrote to memory of 1472	2716	btlawc.pif	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\invoice_7833.exe
"C:\Users\Admin\AppData\Local\Temp\invoice_7833.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3780

C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif
"C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif" rvkjvxgjb.ado
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2716

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
3⤵
- Executes dropped EXE
PID:1472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif
Filesize
906KB

MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif
Filesize
906KB

MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8_410\iehqknoxj.log
Filesize
59KB

MD5
2700e5dc7d99daa1226ecc071fc14848

SHA1
df0e9b8fcacf21a8d28a9121f83b0a83224b1a69

SHA256
813ba7f9ced0f45900fffbf4cf07c9d4c3f532ec3b444078af1ce3a237365f91

SHA512
48961951cbf5eba1c947053ef5edc15b83601eb5a066530a262831276924b4c9e6fc45fcda4e861a7216a2bd601ee53ae262cbce8f4bda36028521aef613e636

Download Submit
C:\Users\Admin\AppData\Local\Temp\8_410\mnrvwnoo.kdv
Filesize
321KB

MD5
7c7103f63a985d7d365c8b5ffb976033

SHA1
9187fd85513b81a9ef14829d825667e7f2ce40b1

SHA256
42d4d72925bc5153ffa039c5fc070a8ee434d80f57b59624d299901463e91886

SHA512
acb7a771550bf41b005ac69c3d572cb6600da2be93fc08db02c019eb8fa1a70ffc26096931e256ea9c94e6627469c6380cc9fcd8a3ef8bc655b209063654f94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8_410\rvkjvxgjb.ado
Filesize
178.1MB

MD5
aab187cdf62195e8be56bdbbefce3d87

SHA1
a7d5d2d7ee9039d962aa30910deb456ab9441933

SHA256
47247cec5c19d4299ddc1d84f427ea86871e2ae36775d15679380ca5e71b5f4e

SHA512
a58d23b9884c781f386269aa2beda5281412253797dc36b75ee9506f831ba2f89ec74e62b0d40c20eb3942b18efd047fa3f0a9a75514b287b174c3b21f687558

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
memory/1472-138-0x0000000001000000-0x00000000015FB000-memory.dmp

Filesize
6.0MB

Download
memory/1472-139-0x000000000100242D-mapping.dmp

Download
memory/1472-142-0x0000000001000000-0x00000000015FB000-memory.dmp

Filesize
6.0MB

Download
memory/1472-143-0x0000000001000000-0x00000000015FB000-memory.dmp

Filesize
6.0MB

Download
memory/2716-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads