netwire | 4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5

General

Target

29b108e40acb05c3c9c2fa8c19b166e3.exe
Size

1.2MB
MD5

29b108e40acb05c3c9c2fa8c19b166e3
SHA1

892c676275a723822d2d47dc1a48defec8bde643
SHA256

4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5
SHA512

9cee10259615c90ea51710fd119dc9c8899b8bf4363513ecbc79aa3a69351c68625f5ca5e7c521d2346a54640358eb2deba0fd6db08a7ade5d2970304ad5beb2
SSDEEP

24576:peW/uHyRLqHJ/wAmDZtRauPvqz6WQ5YQ9kXRGjr:peW/uSRLeJ4AmDZtPPvqzs5Y+kXRG

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

37.0.14.206:3384

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password234
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1760-66-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1760-68-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1760-69-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1760-71-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1760-72-0x000000000041AD7B-mapping.dmp	netwire
behavioral1/memory/1760-75-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1760-79-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Host.exe

pid process

1764 Host.exe
Loads dropped DLL 1 IoCs

Processes:

29b108e40acb05c3c9c2fa8c19b166e3.exe

pid process

1760 29b108e40acb05c3c9c2fa8c19b166e3.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

29b108e40acb05c3c9c2fa8c19b166e3.exe

description pid process target process

PID 1976 set thread context of 1760 1976 29b108e40acb05c3c9c2fa8c19b166e3.exe 29b108e40acb05c3c9c2fa8c19b166e3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1304 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

29b108e40acb05c3c9c2fa8c19b166e3.exe

pid process

1976 29b108e40acb05c3c9c2fa8c19b166e3.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

29b108e40acb05c3c9c2fa8c19b166e3.exe

description pid process

Token: SeDebugPrivilege 1976 29b108e40acb05c3c9c2fa8c19b166e3.exe

pid	process
1764	Host.exe

pid	process
1760	29b108e40acb05c3c9c2fa8c19b166e3.exe

description	pid	process	target process
PID 1976 set thread context of 1760	1976	29b108e40acb05c3c9c2fa8c19b166e3.exe	29b108e40acb05c3c9c2fa8c19b166e3.exe

pid	process
1304	schtasks.exe

pid	process
1976	29b108e40acb05c3c9c2fa8c19b166e3.exe

description	pid	process
Token: SeDebugPrivilege	1976	29b108e40acb05c3c9c2fa8c19b166e3.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

29b108e40acb05c3c9c2fa8c19b166e3.exe29b108e40acb05c3c9c2fa8c19b166e3.exe

description	pid	process	target process
PID 1976 wrote to memory of 1304	1976	29b108e40acb05c3c9c2fa8c19b166e3.exe	schtasks.exe
PID 1976 wrote to memory of 1304	1976	29b108e40acb05c3c9c2fa8c19b166e3.exe	schtasks.exe
PID 1976 wrote to memory of 1304	1976	29b108e40acb05c3c9c2fa8c19b166e3.exe	schtasks.exe
PID 1976 wrote to memory of 1304	1976	29b108e40acb05c3c9c2fa8c19b166e3.exe	schtasks.exe
PID 1976 wrote to memory of 1760	1976	29b108e40acb05c3c9c2fa8c19b166e3.exe	29b108e40acb05c3c9c2fa8c19b166e3.exe
PID 1976 wrote to memory of 1760	1976	29b108e40acb05c3c9c2fa8c19b166e3.exe	29b108e40acb05c3c9c2fa8c19b166e3.exe
PID 1976 wrote to memory of 1760	1976	29b108e40acb05c3c9c2fa8c19b166e3.exe	29b108e40acb05c3c9c2fa8c19b166e3.exe
PID 1976 wrote to memory of 1760	1976	29b108e40acb05c3c9c2fa8c19b166e3.exe	29b108e40acb05c3c9c2fa8c19b166e3.exe
PID 1976 wrote to memory of 1760	1976	29b108e40acb05c3c9c2fa8c19b166e3.exe	29b108e40acb05c3c9c2fa8c19b166e3.exe
PID 1976 wrote to memory of 1760	1976	29b108e40acb05c3c9c2fa8c19b166e3.exe	29b108e40acb05c3c9c2fa8c19b166e3.exe
PID 1976 wrote to memory of 1760	1976	29b108e40acb05c3c9c2fa8c19b166e3.exe	29b108e40acb05c3c9c2fa8c19b166e3.exe
PID 1976 wrote to memory of 1760	1976	29b108e40acb05c3c9c2fa8c19b166e3.exe	29b108e40acb05c3c9c2fa8c19b166e3.exe
PID 1976 wrote to memory of 1760	1976	29b108e40acb05c3c9c2fa8c19b166e3.exe	29b108e40acb05c3c9c2fa8c19b166e3.exe
PID 1976 wrote to memory of 1760	1976	29b108e40acb05c3c9c2fa8c19b166e3.exe	29b108e40acb05c3c9c2fa8c19b166e3.exe
PID 1976 wrote to memory of 1760	1976	29b108e40acb05c3c9c2fa8c19b166e3.exe	29b108e40acb05c3c9c2fa8c19b166e3.exe
PID 1760 wrote to memory of 1764	1760	29b108e40acb05c3c9c2fa8c19b166e3.exe	Host.exe
PID 1760 wrote to memory of 1764	1760	29b108e40acb05c3c9c2fa8c19b166e3.exe	Host.exe
PID 1760 wrote to memory of 1764	1760	29b108e40acb05c3c9c2fa8c19b166e3.exe	Host.exe
PID 1760 wrote to memory of 1764	1760	29b108e40acb05c3c9c2fa8c19b166e3.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\29b108e40acb05c3c9c2fa8c19b166e3.exe
"C:\Users\Admin\AppData\Local\Temp\29b108e40acb05c3c9c2fa8c19b166e3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NSopOOoiUVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD98E.tmp"
2⤵
- Creates scheduled task(s)
PID:1304

C:\Users\Admin\AppData\Local\Temp\29b108e40acb05c3c9c2fa8c19b166e3.exe
"{path}"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
PID:1764

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD98E.tmp
Filesize
1KB

MD5
86110b4f0debb24eabbcddcfde62ffe5

SHA1
5278dff6a60a0f5efa89f399a7a5919028c6acad

SHA256
168896dcbcb15dd91480d483b620dd647d89fdf183691f515dc252c310c7a0b1

SHA512
d777dbf0b445f49356bdb1e53df6a6b0ec795a1b07e1ff844672622b87b268e5591d10bf916170c98f1befe7c01273290c9c3ac38a3641827ccc8650d2f2ccad

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1.2MB

MD5
29b108e40acb05c3c9c2fa8c19b166e3

SHA1
892c676275a723822d2d47dc1a48defec8bde643

SHA256
4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5

SHA512
9cee10259615c90ea51710fd119dc9c8899b8bf4363513ecbc79aa3a69351c68625f5ca5e7c521d2346a54640358eb2deba0fd6db08a7ade5d2970304ad5beb2

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1.2MB

MD5
29b108e40acb05c3c9c2fa8c19b166e3

SHA1
892c676275a723822d2d47dc1a48defec8bde643

SHA256
4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5

SHA512
9cee10259615c90ea51710fd119dc9c8899b8bf4363513ecbc79aa3a69351c68625f5ca5e7c521d2346a54640358eb2deba0fd6db08a7ade5d2970304ad5beb2

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1.2MB

MD5
29b108e40acb05c3c9c2fa8c19b166e3

SHA1
892c676275a723822d2d47dc1a48defec8bde643

SHA256
4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5

SHA512
9cee10259615c90ea51710fd119dc9c8899b8bf4363513ecbc79aa3a69351c68625f5ca5e7c521d2346a54640358eb2deba0fd6db08a7ade5d2970304ad5beb2

Download Submit
memory/1304-59-0x0000000000000000-mapping.dmp

Download
memory/1760-66-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1760-61-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1760-62-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1760-64-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1760-79-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1760-68-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1760-69-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1760-71-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1760-72-0x000000000041AD7B-mapping.dmp

Download
memory/1760-75-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1764-81-0x0000000000820000-0x000000000094E000-memory.dmp

Filesize
1.2MB

Download
memory/1764-77-0x0000000000000000-mapping.dmp

Download
memory/1976-54-0x0000000000EB0000-0x0000000000FDE000-memory.dmp

Filesize
1.2MB

Download
memory/1976-56-0x0000000000370000-0x0000000000390000-memory.dmp

Filesize
128KB

Download
memory/1976-55-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download
memory/1976-57-0x00000000051D0000-0x00000000052A6000-memory.dmp

Filesize
856KB

Download
memory/1976-58-0x0000000005DD0000-0x0000000005E5C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads