netwire | 6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88

General

Target

6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
Size

279KB
MD5

82279e73735b339e79d926ee7ccda560
SHA1

61ad5df59728cfd2f0890d59726629845b075f68
SHA256

6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88
SHA512

50307bd3840e134d4251d8b4d69de0ea93ca9c3739ba991e6ade1c337edfe14e5de8bfee53a2cc427f93c5b185d1e758fd68e5d4e264fa4b52d2c5dff91d8fe4
SSDEEP

6144:t4s76tVXVgMBdhmE6xjDWV4hDbacmfhrb:t4vvX+MBLmXWyh3jmfhP

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4544-134-0x0000000000000000-mapping.dmp	netwire
behavioral2/memory/4544-135-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4544-137-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4544-143-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2264-144-0x0000000000000000-mapping.dmp	netwire
behavioral2/memory/2264-149-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

windows.exewindows.exe

pid process

4880 windows.exe
2264 windows.exe

pid	process
4880	windows.exe
2264	windows.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

windows.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U0U124TF-GTK2-5802-3TXW-C4SUST3SUEY6}	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U0U124TF-GTK2-5802-3TXW-C4SUST3SUEY6}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\installer\\windows.exe\""	windows.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

windows.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\installer\\windows.exe"	windows.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	windows.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exewindows.exe

description	pid	process	target process
PID 2216 set thread context of 4544	2216	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 4880 set thread context of 2264	4880	windows.exe	windows.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exewindows.exe

pid process

2216 6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
4880 windows.exe

pid	process
2216	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
4880	windows.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exewindows.exe

description	pid	process	target process
PID 2216 wrote to memory of 4544	2216	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 2216 wrote to memory of 4544	2216	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 2216 wrote to memory of 4544	2216	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 2216 wrote to memory of 4544	2216	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 2216 wrote to memory of 4544	2216	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 2216 wrote to memory of 4544	2216	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 2216 wrote to memory of 4544	2216	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 2216 wrote to memory of 4544	2216	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 2216 wrote to memory of 4544	2216	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 2216 wrote to memory of 4544	2216	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
PID 4544 wrote to memory of 4880	4544	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	windows.exe
PID 4544 wrote to memory of 4880	4544	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	windows.exe
PID 4544 wrote to memory of 4880	4544	6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe	windows.exe
PID 4880 wrote to memory of 2264	4880	windows.exe	windows.exe
PID 4880 wrote to memory of 2264	4880	windows.exe	windows.exe
PID 4880 wrote to memory of 2264	4880	windows.exe	windows.exe
PID 4880 wrote to memory of 2264	4880	windows.exe	windows.exe
PID 4880 wrote to memory of 2264	4880	windows.exe	windows.exe
PID 4880 wrote to memory of 2264	4880	windows.exe	windows.exe
PID 4880 wrote to memory of 2264	4880	windows.exe	windows.exe
PID 4880 wrote to memory of 2264	4880	windows.exe	windows.exe
PID 4880 wrote to memory of 2264	4880	windows.exe	windows.exe
PID 4880 wrote to memory of 2264	4880	windows.exe	windows.exe

C:\Users\Admin\AppData\Local\Temp\6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
"C:\Users\Admin\AppData\Local\Temp\6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216

C:\Users\Admin\AppData\Local\Temp\6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe
"C:\Users\Admin\AppData\Local\Temp\6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4544

C:\Users\Admin\AppData\Roaming\microsoft\installer\windows.exe
-m "C:\Users\Admin\AppData\Local\Temp\6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4880

C:\Users\Admin\AppData\Roaming\microsoft\installer\windows.exe
-m "C:\Users\Admin\AppData\Local\Temp\6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\installer\windows.exe
Filesize
279KB

MD5
82279e73735b339e79d926ee7ccda560

SHA1
61ad5df59728cfd2f0890d59726629845b075f68

SHA256
6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88

SHA512
50307bd3840e134d4251d8b4d69de0ea93ca9c3739ba991e6ade1c337edfe14e5de8bfee53a2cc427f93c5b185d1e758fd68e5d4e264fa4b52d2c5dff91d8fe4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\installer\windows.exe
Filesize
279KB

MD5
82279e73735b339e79d926ee7ccda560

SHA1
61ad5df59728cfd2f0890d59726629845b075f68

SHA256
6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88

SHA512
50307bd3840e134d4251d8b4d69de0ea93ca9c3739ba991e6ade1c337edfe14e5de8bfee53a2cc427f93c5b185d1e758fd68e5d4e264fa4b52d2c5dff91d8fe4

Download Submit
C:\Users\Admin\AppData\Roaming\microsoft\installer\windows.exe
Filesize
279KB

MD5
82279e73735b339e79d926ee7ccda560

SHA1
61ad5df59728cfd2f0890d59726629845b075f68

SHA256
6bbe27987b901223162281c8367e5f997fd1bbd9d2bdd73965c513bffeaefd88

SHA512
50307bd3840e134d4251d8b4d69de0ea93ca9c3739ba991e6ade1c337edfe14e5de8bfee53a2cc427f93c5b185d1e758fd68e5d4e264fa4b52d2c5dff91d8fe4

Download Submit
memory/2264-144-0x0000000000000000-mapping.dmp

Download
memory/2264-149-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4544-134-0x0000000000000000-mapping.dmp

Download
memory/4544-135-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4544-137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4544-143-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4880-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads