netwire | b002c64f7d0ff0a952b72f31609e683f17bb23313417f6639afdec47d9187b25

General

Target

Confidential.exe
Size

727KB
MD5

77d64026e7224a2243bcb023766111e6
SHA1

0124b3fc954340b6857c96b37e89e9eca64da43a
SHA256

b002c64f7d0ff0a952b72f31609e683f17bb23313417f6639afdec47d9187b25
SHA512

aa233f2db25af667574de2de6870cd6aa259b62700f604bf0478dac442a358a143853c8b8ad0c913f91b3b3e05662a3c9a7216cd1ca051fd0c20e5fbba40a0b8
SSDEEP

12288:voxpAdRDmK6S8IB++Ll22jqZEp5E3qjJ5nl0+9MK:Z56SRB++LVMy1jrZe

Score

10^/10

netwire botnet evasion rat stealer

Malware Config

Extracted

Family

netwire

C2

104.222.188.99:3360

zonedx.ddns.net:3360

zonedx.ddns.net:3363

104.222.188.99:3363

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password9090
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/288-68-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/288-67-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/288-66-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/288-70-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/288-71-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/288-72-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/288-75-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/288-76-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Confidential.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions Confidential.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Confidential.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools Confidential.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	Confidential.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	Confidential.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Confidential.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Confidential.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Confidential.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Confidential.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Confidential.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Confidential.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Confidential.exe

description pid process target process

PID 1132 set thread context of 288 1132 Confidential.exe Confidential.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

920 schtasks.exe

description	pid	process	target process
PID 1132 set thread context of 288	1132	Confidential.exe	Confidential.exe

pid	process
920	schtasks.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Confidential.exe

description	pid	process	target process
PID 1132 wrote to memory of 920	1132	Confidential.exe	schtasks.exe
PID 1132 wrote to memory of 920	1132	Confidential.exe	schtasks.exe
PID 1132 wrote to memory of 920	1132	Confidential.exe	schtasks.exe
PID 1132 wrote to memory of 920	1132	Confidential.exe	schtasks.exe
PID 1132 wrote to memory of 288	1132	Confidential.exe	Confidential.exe
PID 1132 wrote to memory of 288	1132	Confidential.exe	Confidential.exe
PID 1132 wrote to memory of 288	1132	Confidential.exe	Confidential.exe
PID 1132 wrote to memory of 288	1132	Confidential.exe	Confidential.exe
PID 1132 wrote to memory of 288	1132	Confidential.exe	Confidential.exe
PID 1132 wrote to memory of 288	1132	Confidential.exe	Confidential.exe
PID 1132 wrote to memory of 288	1132	Confidential.exe	Confidential.exe
PID 1132 wrote to memory of 288	1132	Confidential.exe	Confidential.exe
PID 1132 wrote to memory of 288	1132	Confidential.exe	Confidential.exe
PID 1132 wrote to memory of 288	1132	Confidential.exe	Confidential.exe
PID 1132 wrote to memory of 288	1132	Confidential.exe	Confidential.exe
PID 1132 wrote to memory of 288	1132	Confidential.exe	Confidential.exe

C:\Users\Admin\AppData\Local\Temp\Confidential.exe
"C:\Users\Admin\AppData\Local\Temp\Confidential.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HQbzNKKSw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6A0A.tmp"
2⤵
- Creates scheduled task(s)
PID:920

C:\Users\Admin\AppData\Local\Temp\Confidential.exe
"{path}"
2⤵
PID:288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6A0A.tmp
Filesize
1KB

MD5
912be3801ae0426e82a9bfc6747aa33e

SHA1
5a4517dafe9079e5c80699dbe8e43f1e7c01f8ee

SHA256
6faea3f41635235ff9d761cb509fb60ee18c446eabdee280bd79e3cabc2915bf

SHA512
542299a701e9079d0d728b202d3c6f85bd2b42fa0b8bb7cbae4fd445fd24309770e1e413d3b062eba763afb6df1a5f27ed1cb77dd80aedd1467e2337b9aa35c8

Download Submit
memory/288-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/288-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/288-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/288-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/288-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/288-75-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/288-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/288-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/288-72-0x000000000040242D-mapping.dmp

Download
memory/288-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/288-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-59-0x0000000000000000-mapping.dmp

Download
memory/1132-54-0x0000000000260000-0x000000000031C000-memory.dmp

Filesize
752KB

Download
memory/1132-56-0x0000000000690000-0x00000000006B0000-memory.dmp

Filesize
128KB

Download
memory/1132-57-0x0000000004D60000-0x0000000004DD8000-memory.dmp

Filesize
480KB

Download
memory/1132-55-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1132-58-0x00000000008A0000-0x00000000008CE000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads