netwire | 6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88

General

Target

6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
Size

279KB
MD5

82279e73735b339e79d926ee7ccda560
SHA1

61ad5df59728cfd2f0890d59726629845b075f68
SHA256

6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88
SHA512

50307bd3840e134d4251d8b4d69de0ea93ca9c3739ba991e6ade1c337edfe14e5de8bfee53a2cc427f93c5b185d1e758fd68e5d4e264fa4b52d2c5dff91d8fe4
SSDEEP

6144:t4s76tVXVgMBdhmE6xjDWV4hDbacmfhrb:t4vvX+MBLmXWyh3jmfhP

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1500-57-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1500-58-0x0000000000402196-mapping.dmp	netwire
behavioral1/memory/1500-61-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1500-65-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1112-72-0x0000000000402196-mapping.dmp	netwire
behavioral1/memory/1112-77-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

windows.exewindows.exe

pid process

1176 windows.exe
1112 windows.exe

pid	process
1176	windows.exe
1112	windows.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

windows.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U0U124TF-GTK2-5802-3TXW-C4SUST3SUEY6}	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U0U124TF-GTK2-5802-3TXW-C4SUST3SUEY6}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\installer\\windows.exe\""	windows.exe

Deletes itself 1 IoCs

Processes:

windows.exe

pid process

1112 windows.exe

pid	process
1112	windows.exe

Loads dropped DLL 2 IoCs

Processes:

6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe

pid	process
1500	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
1500	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

windows.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\installer\\windows.exe"	windows.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exewindows.exe

description	pid	process	target process
PID 1672 set thread context of 1500	1672	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 1176 set thread context of 1112	1176	windows.exe	windows.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exewindows.exe

pid process

1672 6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
1176 windows.exe

pid	process
1672	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
1176	windows.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exewindows.exe

description	pid	process	target process
PID 1672 wrote to memory of 1500	1672	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 1672 wrote to memory of 1500	1672	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 1672 wrote to memory of 1500	1672	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 1672 wrote to memory of 1500	1672	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 1672 wrote to memory of 1500	1672	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 1672 wrote to memory of 1500	1672	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 1672 wrote to memory of 1500	1672	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 1672 wrote to memory of 1500	1672	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 1672 wrote to memory of 1500	1672	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 1672 wrote to memory of 1500	1672	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 1672 wrote to memory of 1500	1672	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 1500 wrote to memory of 1176	1500	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	windows.exe
PID 1500 wrote to memory of 1176	1500	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	windows.exe
PID 1500 wrote to memory of 1176	1500	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	windows.exe
PID 1500 wrote to memory of 1176	1500	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	windows.exe
PID 1176 wrote to memory of 1112	1176	windows.exe	windows.exe
PID 1176 wrote to memory of 1112	1176	windows.exe	windows.exe
PID 1176 wrote to memory of 1112	1176	windows.exe	windows.exe
PID 1176 wrote to memory of 1112	1176	windows.exe	windows.exe
PID 1176 wrote to memory of 1112	1176	windows.exe	windows.exe
PID 1176 wrote to memory of 1112	1176	windows.exe	windows.exe
PID 1176 wrote to memory of 1112	1176	windows.exe	windows.exe
PID 1176 wrote to memory of 1112	1176	windows.exe	windows.exe
PID 1176 wrote to memory of 1112	1176	windows.exe	windows.exe
PID 1176 wrote to memory of 1112	1176	windows.exe	windows.exe
PID 1176 wrote to memory of 1112	1176	windows.exe	windows.exe

C:\Users\Admin\AppData\Local\Temp\6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
"C:\Users\Admin\AppData\Local\Temp\6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
"C:\Users\Admin\AppData\Local\Temp\6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Roaming\microsoft\installer\windows.exe
-m "C:\Users\Admin\AppData\Local\Temp\6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Roaming\microsoft\installer\windows.exe
-m "C:\Users\Admin\AppData\Local\Temp\6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Deletes itself
- Adds Run key to start application
PID:1112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\installer\windows.exe
Filesize
279KB

MD5
82279e73735b339e79d926ee7ccda560

SHA1
61ad5df59728cfd2f0890d59726629845b075f68

SHA256
6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88

SHA512
50307bd3840e134d4251d8b4d69de0ea93ca9c3739ba991e6ade1c337edfe14e5de8bfee53a2cc427f93c5b185d1e758fd68e5d4e264fa4b52d2c5dff91d8fe4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\installer\windows.exe
Filesize
279KB

MD5
82279e73735b339e79d926ee7ccda560

SHA1
61ad5df59728cfd2f0890d59726629845b075f68

SHA256
6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88

SHA512
50307bd3840e134d4251d8b4d69de0ea93ca9c3739ba991e6ade1c337edfe14e5de8bfee53a2cc427f93c5b185d1e758fd68e5d4e264fa4b52d2c5dff91d8fe4

Download Submit
C:\Users\Admin\AppData\Roaming\microsoft\installer\windows.exe
Filesize
279KB

MD5
82279e73735b339e79d926ee7ccda560

SHA1
61ad5df59728cfd2f0890d59726629845b075f68

SHA256
6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88

SHA512
50307bd3840e134d4251d8b4d69de0ea93ca9c3739ba991e6ade1c337edfe14e5de8bfee53a2cc427f93c5b185d1e758fd68e5d4e264fa4b52d2c5dff91d8fe4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\installer\windows.exe
Filesize
279KB

MD5
82279e73735b339e79d926ee7ccda560

SHA1
61ad5df59728cfd2f0890d59726629845b075f68

SHA256
6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88

SHA512
50307bd3840e134d4251d8b4d69de0ea93ca9c3739ba991e6ade1c337edfe14e5de8bfee53a2cc427f93c5b185d1e758fd68e5d4e264fa4b52d2c5dff91d8fe4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\installer\windows.exe
Filesize
279KB

MD5
82279e73735b339e79d926ee7ccda560

SHA1
61ad5df59728cfd2f0890d59726629845b075f68

SHA256
6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88

SHA512
50307bd3840e134d4251d8b4d69de0ea93ca9c3739ba991e6ade1c337edfe14e5de8bfee53a2cc427f93c5b185d1e758fd68e5d4e264fa4b52d2c5dff91d8fe4

Download Submit
memory/1112-72-0x0000000000402196-mapping.dmp

Download
memory/1112-77-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1176-64-0x0000000000000000-mapping.dmp

Download
memory/1500-65-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1500-61-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1500-58-0x0000000000402196-mapping.dmp

Download
memory/1500-57-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1672-56-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads