netwire | 56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e

General

Target

56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe
Size

184KB
MD5

46a9e2cfc81304ae2e4a1b573c819670
SHA1

fee3833c609746402586b1120d62798fc783c835
SHA256

56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e
SHA512

49d894c635fbb8c1f902ad16c4331ed08e680c87289510892a8c2ddbbf6a786a97b64b3f160993778ab6dd7f88cad59debfb16b699998eab0dc14e4fe457a9b8
SSDEEP

3072:tMcjLsjH3WkwK7ITSA/19ELhvsKZGBewqxvcAFLAxfKucAFLA:tMuYjXH4pbEdvsKEBgA

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/960-66-0x0000000000000000-mapping.dmp	netwire
behavioral1/memory/960-69-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/960-71-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/960-72-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

jdhdgd.exejdhdgd.exe

pid process

916 jdhdgd.exe
960 jdhdgd.exe

pid	process
916	jdhdgd.exe
960	jdhdgd.exe

Loads dropped DLL 2 IoCs

Processes:

56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe

pid	process
816	56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe
816	56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dhdgd = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\jdhdgd.exe"	56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exejdhdgd.exe

pid process

816 56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe
916 jdhdgd.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exejdhdgd.exe

description	pid	process	target process
PID 816 wrote to memory of 916	816	56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe	jdhdgd.exe
PID 816 wrote to memory of 916	816	56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe	jdhdgd.exe
PID 816 wrote to memory of 916	816	56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe	jdhdgd.exe
PID 816 wrote to memory of 916	816	56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe	jdhdgd.exe
PID 916 wrote to memory of 960	916	jdhdgd.exe	jdhdgd.exe
PID 916 wrote to memory of 960	916	jdhdgd.exe	jdhdgd.exe
PID 916 wrote to memory of 960	916	jdhdgd.exe	jdhdgd.exe
PID 916 wrote to memory of 960	916	jdhdgd.exe	jdhdgd.exe
PID 916 wrote to memory of 960	916	jdhdgd.exe	jdhdgd.exe
PID 916 wrote to memory of 960	916	jdhdgd.exe	jdhdgd.exe
PID 916 wrote to memory of 960	916	jdhdgd.exe	jdhdgd.exe
PID 916 wrote to memory of 960	916	jdhdgd.exe	jdhdgd.exe
PID 916 wrote to memory of 960	916	jdhdgd.exe	jdhdgd.exe
PID 916 wrote to memory of 960	916	jdhdgd.exe	jdhdgd.exe
PID 916 wrote to memory of 960	916	jdhdgd.exe	jdhdgd.exe
PID 916 wrote to memory of 960	916	jdhdgd.exe	jdhdgd.exe
PID 916 wrote to memory of 960	916	jdhdgd.exe	jdhdgd.exe
PID 916 wrote to memory of 960	916	jdhdgd.exe	jdhdgd.exe
PID 916 wrote to memory of 960	916	jdhdgd.exe	jdhdgd.exe
PID 916 wrote to memory of 960	916	jdhdgd.exe	jdhdgd.exe

C:\Users\Admin\AppData\Local\Temp\56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe
"C:\Users\Admin\AppData\Local\Temp\56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Roaming\subfolder\jdhdgd.exe
"C:\Users\Admin\AppData\Roaming\subfolder\jdhdgd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916

C:\Users\Admin\AppData\Roaming\subfolder\jdhdgd.exe
"C:\Users\Admin\AppData\Roaming\subfolder\jdhdgd.exe"
3⤵
- Executes dropped EXE
PID:960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\subfolder\jdhdgd.exe
Filesize
184KB

MD5
4bc7dff41d338cf1d7f8317b0191eed9

SHA1
301d6ed46912118c41ca11ce5a9a1471b9736125

SHA256
55e2f56fc7a7bf7491e088076f026911615eca15328b16bb69871f4f8ce049eb

SHA512
91a86ebfd936132809088db465b0313afc25de8f5b904665d52af8d1ec83f25852f9083f4e5deecbb529f9ce6069470a76ebee49343f1f907f432455d8d02da9

Download Submit
C:\Users\Admin\AppData\Roaming\subfolder\jdhdgd.exe
Filesize
184KB

MD5
4bc7dff41d338cf1d7f8317b0191eed9

SHA1
301d6ed46912118c41ca11ce5a9a1471b9736125

SHA256
55e2f56fc7a7bf7491e088076f026911615eca15328b16bb69871f4f8ce049eb

SHA512
91a86ebfd936132809088db465b0313afc25de8f5b904665d52af8d1ec83f25852f9083f4e5deecbb529f9ce6069470a76ebee49343f1f907f432455d8d02da9

Download Submit
C:\Users\Admin\AppData\Roaming\subfolder\jdhdgd.exe
Filesize
184KB

MD5
4bc7dff41d338cf1d7f8317b0191eed9

SHA1
301d6ed46912118c41ca11ce5a9a1471b9736125

SHA256
55e2f56fc7a7bf7491e088076f026911615eca15328b16bb69871f4f8ce049eb

SHA512
91a86ebfd936132809088db465b0313afc25de8f5b904665d52af8d1ec83f25852f9083f4e5deecbb529f9ce6069470a76ebee49343f1f907f432455d8d02da9

Download Submit
\Users\Admin\AppData\Roaming\subfolder\jdhdgd.exe
Filesize
184KB

MD5
4bc7dff41d338cf1d7f8317b0191eed9

SHA1
301d6ed46912118c41ca11ce5a9a1471b9736125

SHA256
55e2f56fc7a7bf7491e088076f026911615eca15328b16bb69871f4f8ce049eb

SHA512
91a86ebfd936132809088db465b0313afc25de8f5b904665d52af8d1ec83f25852f9083f4e5deecbb529f9ce6069470a76ebee49343f1f907f432455d8d02da9

Download Submit
\Users\Admin\AppData\Roaming\subfolder\jdhdgd.exe
Filesize
184KB

MD5
4bc7dff41d338cf1d7f8317b0191eed9

SHA1
301d6ed46912118c41ca11ce5a9a1471b9736125

SHA256
55e2f56fc7a7bf7491e088076f026911615eca15328b16bb69871f4f8ce049eb

SHA512
91a86ebfd936132809088db465b0313afc25de8f5b904665d52af8d1ec83f25852f9083f4e5deecbb529f9ce6069470a76ebee49343f1f907f432455d8d02da9

Download Submit
memory/816-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/816-61-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/916-59-0x0000000000000000-mapping.dmp

Download
memory/916-68-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/960-66-0x0000000000000000-mapping.dmp

Download
memory/960-69-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/960-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/960-72-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads