netwire | 8a339775bd331c2bac7f1e0152dbdd6d8037ef2098a6b455b1cce45107cb5e6e

General

Target

Remittance AdviceInvoice and parking List pdf.exe
Size

1.0MB
MD5

ce1250f42f8fa8bc70082cf2b591c471
SHA1

70a550c5d3ed62257fd1dfd9213a99444104d69b
SHA256

8a339775bd331c2bac7f1e0152dbdd6d8037ef2098a6b455b1cce45107cb5e6e
SHA512

187c386f97562b7fd84467ff3bc4865d84a0ba7d14f3266ca0423a9574908e5bfeda7d14d739686b7e0d90e61abafcc9943fa62c081ac59decd463a45180e4cb
SSDEEP

12288:O2iNzJLbODG3PnKgGtW07tZMtQ/VP/281jPRSPCfdrXPm3u:O1fukPnvt0ZZ4Q/VP/28OPCN+3

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

kimlee11.duckdns.org:8839

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3248-145-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/3248-146-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/3248-149-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/3248-151-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/3248-162-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Remittance AdviceInvoice and parking List pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Remittance AdviceInvoice and parking List pdf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Remittance AdviceInvoice and parking List pdf.exe

description	pid	process	target process
PID 4736 set thread context of 3248	4736	Remittance AdviceInvoice and parking List pdf.exe	Remittance AdviceInvoice and parking List pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2488 schtasks.exe

pid	process
2488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

Remittance AdviceInvoice and parking List pdf.exepowershell.exe

pid	process
4736	Remittance AdviceInvoice and parking List pdf.exe
4736	Remittance AdviceInvoice and parking List pdf.exe
4736	Remittance AdviceInvoice and parking List pdf.exe
4736	Remittance AdviceInvoice and parking List pdf.exe
4736	Remittance AdviceInvoice and parking List pdf.exe
4736	Remittance AdviceInvoice and parking List pdf.exe
4736	Remittance AdviceInvoice and parking List pdf.exe
4736	Remittance AdviceInvoice and parking List pdf.exe
4736	Remittance AdviceInvoice and parking List pdf.exe
2732	powershell.exe
2732	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Remittance AdviceInvoice and parking List pdf.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4736 Remittance AdviceInvoice and parking List pdf.exe
Token: SeDebugPrivilege 2732 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4736	Remittance AdviceInvoice and parking List pdf.exe
Token: SeDebugPrivilege	2732	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Remittance AdviceInvoice and parking List pdf.exe

C:\Users\Admin\AppData\Local\Temp\Remittance AdviceInvoice and parking List pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Remittance AdviceInvoice and parking List pdf.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ATtzwttIOonXlr.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ATtzwttIOonXlr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp48A2.tmp"
2⤵
- Creates scheduled task(s)
PID:2488

C:\Users\Admin\AppData\Local\Temp\Remittance AdviceInvoice and parking List pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Remittance AdviceInvoice and parking List pdf.exe"
2⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\Remittance AdviceInvoice and parking List pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Remittance AdviceInvoice and parking List pdf.exe"
2⤵
PID:3248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp48A2.tmp

Filesize
1KB

MD5
2e815a80873034bfc36988eab407615c

SHA1
7c175459878eee803f10912314b682e45c698697

SHA256
46b864e15d0dc3f0fc8d59501ba672210801ae20ed5ce868afeb540efa05db65

SHA512
ea197ba3678261bf9e0ccb0ee6c5fbbb055d45530b743de60381f2e2f5b32adde28c6b3c441c3f0bac81d40a795973ec4418122f57c35911efa84ed60b8cb474

Download Submit
memory/2488-139-0x0000000000000000-mapping.dmp

Download
memory/2732-147-0x00000000057A0000-0x00000000057C2000-memory.dmp

Filesize
136KB

Download
memory/2732-138-0x0000000000000000-mapping.dmp

Download
memory/2732-148-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/2732-161-0x0000000007D90000-0x0000000007D98000-memory.dmp

Filesize
32KB

Download
memory/2732-160-0x0000000007DB0000-0x0000000007DCA000-memory.dmp

Filesize
104KB

Download
memory/2732-159-0x0000000007CA0000-0x0000000007CAE000-memory.dmp

Filesize
56KB

Download
memory/2732-140-0x0000000002E80000-0x0000000002EB6000-memory.dmp

Filesize
216KB

Download
memory/2732-158-0x0000000007CF0000-0x0000000007D86000-memory.dmp

Filesize
600KB

Download
memory/2732-142-0x0000000005BD0000-0x00000000061F8000-memory.dmp

Filesize
6.2MB

Download
memory/2732-157-0x0000000007AE0000-0x0000000007AEA000-memory.dmp

Filesize
40KB

Download
memory/2732-156-0x0000000007A70000-0x0000000007A8A000-memory.dmp

Filesize
104KB

Download
memory/2732-150-0x0000000006770000-0x000000000678E000-memory.dmp

Filesize
120KB

Download
memory/2732-155-0x00000000080C0000-0x000000000873A000-memory.dmp

Filesize
6.5MB

Download
memory/2732-154-0x0000000006D30000-0x0000000006D4E000-memory.dmp

Filesize
120KB

Download
memory/2732-153-0x0000000072380000-0x00000000723CC000-memory.dmp

Filesize
304KB

Download
memory/2732-152-0x0000000006D50000-0x0000000006D82000-memory.dmp

Filesize
200KB

Download
memory/3248-151-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3248-162-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3248-144-0x0000000000000000-mapping.dmp

Download
memory/3248-146-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3248-145-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3248-149-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3656-143-0x0000000000000000-mapping.dmp

Download
memory/4736-136-0x000000000A280000-0x000000000A31C000-memory.dmp

Filesize
624KB

Download
memory/4736-133-0x00000000058B0000-0x0000000005E54000-memory.dmp

Filesize
5.6MB

Download
memory/4736-134-0x00000000053A0000-0x0000000005432000-memory.dmp

Filesize
584KB

Download
memory/4736-132-0x00000000008A0000-0x00000000009A6000-memory.dmp

Filesize
1.0MB

Download
memory/4736-137-0x000000000A6B0000-0x000000000A716000-memory.dmp

Filesize
408KB

Download
memory/4736-135-0x0000000005340000-0x000000000534A000-memory.dmp

Filesize
40KB

Download

description	pid	process	target process
PID 4736 wrote to memory of 2732	4736	Remittance AdviceInvoice and parking List pdf.exe	powershell.exe
PID 4736 wrote to memory of 2732	4736	Remittance AdviceInvoice and parking List pdf.exe	powershell.exe
PID 4736 wrote to memory of 2732	4736	Remittance AdviceInvoice and parking List pdf.exe	powershell.exe
PID 4736 wrote to memory of 2488	4736	Remittance AdviceInvoice and parking List pdf.exe	schtasks.exe
PID 4736 wrote to memory of 2488	4736	Remittance AdviceInvoice and parking List pdf.exe	schtasks.exe
PID 4736 wrote to memory of 2488	4736	Remittance AdviceInvoice and parking List pdf.exe	schtasks.exe
PID 4736 wrote to memory of 3656	4736	Remittance AdviceInvoice and parking List pdf.exe	Remittance AdviceInvoice and parking List pdf.exe
PID 4736 wrote to memory of 3656	4736	Remittance AdviceInvoice and parking List pdf.exe	Remittance AdviceInvoice and parking List pdf.exe
PID 4736 wrote to memory of 3656	4736	Remittance AdviceInvoice and parking List pdf.exe	Remittance AdviceInvoice and parking List pdf.exe
PID 4736 wrote to memory of 3248	4736	Remittance AdviceInvoice and parking List pdf.exe	Remittance AdviceInvoice and parking List pdf.exe
PID 4736 wrote to memory of 3248	4736	Remittance AdviceInvoice and parking List pdf.exe	Remittance AdviceInvoice and parking List pdf.exe
PID 4736 wrote to memory of 3248	4736	Remittance AdviceInvoice and parking List pdf.exe	Remittance AdviceInvoice and parking List pdf.exe
PID 4736 wrote to memory of 3248	4736	Remittance AdviceInvoice and parking List pdf.exe	Remittance AdviceInvoice and parking List pdf.exe
PID 4736 wrote to memory of 3248	4736	Remittance AdviceInvoice and parking List pdf.exe	Remittance AdviceInvoice and parking List pdf.exe
PID 4736 wrote to memory of 3248	4736	Remittance AdviceInvoice and parking List pdf.exe	Remittance AdviceInvoice and parking List pdf.exe
PID 4736 wrote to memory of 3248	4736	Remittance AdviceInvoice and parking List pdf.exe	Remittance AdviceInvoice and parking List pdf.exe
PID 4736 wrote to memory of 3248	4736	Remittance AdviceInvoice and parking List pdf.exe	Remittance AdviceInvoice and parking List pdf.exe
PID 4736 wrote to memory of 3248	4736	Remittance AdviceInvoice and parking List pdf.exe	Remittance AdviceInvoice and parking List pdf.exe
PID 4736 wrote to memory of 3248	4736	Remittance AdviceInvoice and parking List pdf.exe	Remittance AdviceInvoice and parking List pdf.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads