netwire | e4029ef5d391b9a380ed98a45f3e5a01eece6b7a1120ab17d6db0f8bb1309a47

General

Target

yRuwcim7PXjssd6.exe
Size

748KB
MD5

612e64600d10219b8eb801b2b60835ee
SHA1

7ad4a1c01ee74a96dfc618cba25dbd3cf3a072d6
SHA256

e4029ef5d391b9a380ed98a45f3e5a01eece6b7a1120ab17d6db0f8bb1309a47
SHA512

0b4c9712abd9d810e7862a9144505f89c305f34fbbd9e6340f8a8e7d413cda5918a98adbc1a773c397c88d08603bfa53d3e6adc6f167ed077242d7d2d13097cc
SSDEEP

12288:llvXId+2ouHH1JJ2iNXu2iN2kejwFGfzPTFbLddxDd9eBQIWgAhgwzzgiupOd:vq+Vu1j1A1UeGVrgXGzgiu8

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1776-69-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/1776-70-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/1776-72-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/1776-74-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/1776-75-0x00000000004026D0-mapping.dmp	netwire
behavioral1/memory/1776-78-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/1776-79-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/1776-82-0x0000000000400000-0x000000000042B000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Suspicious use of SetThreadContext 1 IoCs

Processes:

yRuwcim7PXjssd6.exe

description pid process target process

PID 1636 set thread context of 1776 1636 yRuwcim7PXjssd6.exe yRuwcim7PXjssd6.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1448 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

yRuwcim7PXjssd6.exepowershell.exe

pid process

1636 yRuwcim7PXjssd6.exe
1636 yRuwcim7PXjssd6.exe
840 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

yRuwcim7PXjssd6.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1636 yRuwcim7PXjssd6.exe
Token: SeDebugPrivilege 840 powershell.exe

description	pid	process	target process
PID 1636 set thread context of 1776	1636	yRuwcim7PXjssd6.exe	yRuwcim7PXjssd6.exe

pid	process
1448	schtasks.exe

pid	process
1636	yRuwcim7PXjssd6.exe
1636	yRuwcim7PXjssd6.exe
840	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1636	yRuwcim7PXjssd6.exe
Token: SeDebugPrivilege	840	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

yRuwcim7PXjssd6.exe

description	pid	process	target process
PID 1636 wrote to memory of 840	1636	yRuwcim7PXjssd6.exe	powershell.exe
PID 1636 wrote to memory of 840	1636	yRuwcim7PXjssd6.exe	powershell.exe
PID 1636 wrote to memory of 840	1636	yRuwcim7PXjssd6.exe	powershell.exe
PID 1636 wrote to memory of 840	1636	yRuwcim7PXjssd6.exe	powershell.exe
PID 1636 wrote to memory of 1448	1636	yRuwcim7PXjssd6.exe	schtasks.exe
PID 1636 wrote to memory of 1448	1636	yRuwcim7PXjssd6.exe	schtasks.exe
PID 1636 wrote to memory of 1448	1636	yRuwcim7PXjssd6.exe	schtasks.exe
PID 1636 wrote to memory of 1448	1636	yRuwcim7PXjssd6.exe	schtasks.exe
PID 1636 wrote to memory of 308	1636	yRuwcim7PXjssd6.exe	yRuwcim7PXjssd6.exe
PID 1636 wrote to memory of 308	1636	yRuwcim7PXjssd6.exe	yRuwcim7PXjssd6.exe
PID 1636 wrote to memory of 308	1636	yRuwcim7PXjssd6.exe	yRuwcim7PXjssd6.exe
PID 1636 wrote to memory of 308	1636	yRuwcim7PXjssd6.exe	yRuwcim7PXjssd6.exe
PID 1636 wrote to memory of 1816	1636	yRuwcim7PXjssd6.exe	yRuwcim7PXjssd6.exe
PID 1636 wrote to memory of 1816	1636	yRuwcim7PXjssd6.exe	yRuwcim7PXjssd6.exe
PID 1636 wrote to memory of 1816	1636	yRuwcim7PXjssd6.exe	yRuwcim7PXjssd6.exe
PID 1636 wrote to memory of 1816	1636	yRuwcim7PXjssd6.exe	yRuwcim7PXjssd6.exe
PID 1636 wrote to memory of 1776	1636	yRuwcim7PXjssd6.exe	yRuwcim7PXjssd6.exe
PID 1636 wrote to memory of 1776	1636	yRuwcim7PXjssd6.exe	yRuwcim7PXjssd6.exe
PID 1636 wrote to memory of 1776	1636	yRuwcim7PXjssd6.exe	yRuwcim7PXjssd6.exe
PID 1636 wrote to memory of 1776	1636	yRuwcim7PXjssd6.exe	yRuwcim7PXjssd6.exe
PID 1636 wrote to memory of 1776	1636	yRuwcim7PXjssd6.exe	yRuwcim7PXjssd6.exe
PID 1636 wrote to memory of 1776	1636	yRuwcim7PXjssd6.exe	yRuwcim7PXjssd6.exe
PID 1636 wrote to memory of 1776	1636	yRuwcim7PXjssd6.exe	yRuwcim7PXjssd6.exe
PID 1636 wrote to memory of 1776	1636	yRuwcim7PXjssd6.exe	yRuwcim7PXjssd6.exe
PID 1636 wrote to memory of 1776	1636	yRuwcim7PXjssd6.exe	yRuwcim7PXjssd6.exe
PID 1636 wrote to memory of 1776	1636	yRuwcim7PXjssd6.exe	yRuwcim7PXjssd6.exe
PID 1636 wrote to memory of 1776	1636	yRuwcim7PXjssd6.exe	yRuwcim7PXjssd6.exe

C:\Users\Admin\AppData\Local\Temp\yRuwcim7PXjssd6.exe
"C:\Users\Admin\AppData\Local\Temp\yRuwcim7PXjssd6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KiHARiHxXAVe.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KiHARiHxXAVe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF6FD.tmp"
2⤵
- Creates scheduled task(s)
PID:1448

C:\Users\Admin\AppData\Local\Temp\yRuwcim7PXjssd6.exe
"C:\Users\Admin\AppData\Local\Temp\yRuwcim7PXjssd6.exe"
2⤵
PID:308

C:\Users\Admin\AppData\Local\Temp\yRuwcim7PXjssd6.exe
"C:\Users\Admin\AppData\Local\Temp\yRuwcim7PXjssd6.exe"
2⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\yRuwcim7PXjssd6.exe
"C:\Users\Admin\AppData\Local\Temp\yRuwcim7PXjssd6.exe"
2⤵
PID:1776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF6FD.tmp
Filesize
1KB

MD5
c3ba202ad6dbe3fa561ef43a55456ee9

SHA1
0505b8d8c1e4a91dabf05a5a0b719cb710d529e9

SHA256
662bd1ad6fecaa7186f371420f06ca7d593a0f47f1525b1f4bf5ace17be98d52

SHA512
a9012028e34d5d7fc7aa06c81099a0cc3454f351f8057c60e8e728b0f4c690393b466af79ea08bad893e9f56d7545a57b83cc27bf7f32e089f697a7030eed1ab

Download Submit
memory/840-80-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download
memory/840-59-0x0000000000000000-mapping.dmp

Download
memory/840-81-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download
memory/1448-60-0x0000000000000000-mapping.dmp

Download
memory/1636-55-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/1636-56-0x00000000004B0000-0x00000000004C4000-memory.dmp

Filesize
80KB

Download
memory/1636-57-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/1636-58-0x0000000004FD0000-0x000000000503A000-memory.dmp

Filesize
424KB

Download
memory/1636-63-0x0000000004D80000-0x0000000004DB0000-memory.dmp

Filesize
192KB

Download
memory/1636-54-0x00000000001D0000-0x0000000000292000-memory.dmp

Filesize
776KB

Download
memory/1776-65-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1776-69-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1776-70-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1776-72-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1776-74-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1776-75-0x00000000004026D0-mapping.dmp

Download
memory/1776-78-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1776-79-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1776-67-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1776-64-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1776-82-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads