netwire | 88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a

General

Target

88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe
Size

332KB
MD5

66db2cab6f4000cc5788b70f37ffdc60
SHA1

5d9f3d7f1fe5f3df177ddc2336ac650b4fd802d7
SHA256

88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a
SHA512

a4bbae98011c5f20d428df079e1933ae9979b84d0d5f6f097e5a4ff385490ddd48e3a69154320f4b47c6e04320f2aba0eff4dc3e55a227cfdeca015a8f1fe1d3
SSDEEP

3072:Y+gycKNB60ldIXlsFKMaDKxVnPa3MgmH7Hg3l8XjDXvoIZh49BB4gA4AbU8TngF2:Y+gzKauyP/3MaK3+MFW

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1800-57-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1800-58-0x00000000004021DA-mapping.dmp	netwire
behavioral1/memory/1800-62-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1800-67-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1116-73-0x00000000004021DA-mapping.dmp	netwire
behavioral1/memory/1116-78-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1956 Host.exe
1116 Host.exe

pid	process
1956	Host.exe
1116	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88ROKMYV-7K7H-AY44-WV21-FF633YI8F088}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88ROKMYV-7K7H-AY44-WV21-FF633YI8F088}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Deletes itself 1 IoCs

Processes:

Host.exe

pid process

1116 Host.exe

pid	process
1116	Host.exe

Loads dropped DLL 2 IoCs

Processes:

88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe

pid	process
1800	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe
1800	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exeHost.exe

description	pid	process	target process
PID 1184 set thread context of 1800	1184	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe
PID 1956 set thread context of 1116	1956	Host.exe	Host.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exeHost.exe

pid process

1184 88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe
1956 Host.exe

pid	process
1184	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe
1956	Host.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exeHost.exe

description	pid	process	target process
PID 1184 wrote to memory of 1800	1184	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe
PID 1184 wrote to memory of 1800	1184	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe
PID 1184 wrote to memory of 1800	1184	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe
PID 1184 wrote to memory of 1800	1184	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe
PID 1184 wrote to memory of 1800	1184	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe
PID 1184 wrote to memory of 1800	1184	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe
PID 1184 wrote to memory of 1800	1184	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe
PID 1184 wrote to memory of 1800	1184	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe
PID 1184 wrote to memory of 1800	1184	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe
PID 1184 wrote to memory of 1800	1184	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe
PID 1184 wrote to memory of 1800	1184	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe
PID 1800 wrote to memory of 1956	1800	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe	Host.exe
PID 1800 wrote to memory of 1956	1800	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe	Host.exe
PID 1800 wrote to memory of 1956	1800	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe	Host.exe
PID 1800 wrote to memory of 1956	1800	88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe	Host.exe
PID 1956 wrote to memory of 1116	1956	Host.exe	Host.exe
PID 1956 wrote to memory of 1116	1956	Host.exe	Host.exe
PID 1956 wrote to memory of 1116	1956	Host.exe	Host.exe
PID 1956 wrote to memory of 1116	1956	Host.exe	Host.exe
PID 1956 wrote to memory of 1116	1956	Host.exe	Host.exe
PID 1956 wrote to memory of 1116	1956	Host.exe	Host.exe
PID 1956 wrote to memory of 1116	1956	Host.exe	Host.exe
PID 1956 wrote to memory of 1116	1956	Host.exe	Host.exe
PID 1956 wrote to memory of 1116	1956	Host.exe	Host.exe
PID 1956 wrote to memory of 1116	1956	Host.exe	Host.exe
PID 1956 wrote to memory of 1116	1956	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe
"C:\Users\Admin\AppData\Local\Temp\88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe
"C:\Users\Admin\AppData\Local\Temp\88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Roaming\Install\Host.exe
-m "C:\Users\Admin\AppData\Local\Temp\88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Roaming\Install\Host.exe
-m "C:\Users\Admin\AppData\Local\Temp\88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Deletes itself
- Adds Run key to start application
PID:1116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
332KB

MD5
66db2cab6f4000cc5788b70f37ffdc60

SHA1
5d9f3d7f1fe5f3df177ddc2336ac650b4fd802d7

SHA256
88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a

SHA512
a4bbae98011c5f20d428df079e1933ae9979b84d0d5f6f097e5a4ff385490ddd48e3a69154320f4b47c6e04320f2aba0eff4dc3e55a227cfdeca015a8f1fe1d3

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
332KB

MD5
66db2cab6f4000cc5788b70f37ffdc60

SHA1
5d9f3d7f1fe5f3df177ddc2336ac650b4fd802d7

SHA256
88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a

SHA512
a4bbae98011c5f20d428df079e1933ae9979b84d0d5f6f097e5a4ff385490ddd48e3a69154320f4b47c6e04320f2aba0eff4dc3e55a227cfdeca015a8f1fe1d3

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
332KB

MD5
66db2cab6f4000cc5788b70f37ffdc60

SHA1
5d9f3d7f1fe5f3df177ddc2336ac650b4fd802d7

SHA256
88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a

SHA512
a4bbae98011c5f20d428df079e1933ae9979b84d0d5f6f097e5a4ff385490ddd48e3a69154320f4b47c6e04320f2aba0eff4dc3e55a227cfdeca015a8f1fe1d3

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
332KB

MD5
66db2cab6f4000cc5788b70f37ffdc60

SHA1
5d9f3d7f1fe5f3df177ddc2336ac650b4fd802d7

SHA256
88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a

SHA512
a4bbae98011c5f20d428df079e1933ae9979b84d0d5f6f097e5a4ff385490ddd48e3a69154320f4b47c6e04320f2aba0eff4dc3e55a227cfdeca015a8f1fe1d3

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
332KB

MD5
66db2cab6f4000cc5788b70f37ffdc60

SHA1
5d9f3d7f1fe5f3df177ddc2336ac650b4fd802d7

SHA256
88b8af60d96c24bb9c8fbaffa9310c474592a528fe1322427e4e6f5ae2650e6a

SHA512
a4bbae98011c5f20d428df079e1933ae9979b84d0d5f6f097e5a4ff385490ddd48e3a69154320f4b47c6e04320f2aba0eff4dc3e55a227cfdeca015a8f1fe1d3

Download Submit
memory/1116-78-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1116-73-0x00000000004021DA-mapping.dmp

Download
memory/1184-59-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/1184-56-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1800-67-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1800-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1800-58-0x00000000004021DA-mapping.dmp

Download
memory/1800-57-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1956-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads