netwire | 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855

General

Target

915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
Size

131KB
MD5

57ff9ec083c9603c0251fe55595b8793
SHA1

8c3c7148559706e5523dae28d5852554042129b0
SHA256

915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855
SHA512

63f50958bd0b82057b62a4315fb9309af082ee06992949c4967bafe83407d7fcc7097d8713b2656cc5ae13c6386ec671d2a424f73b03f883d182551cdaf2770f
SSDEEP

3072:cnF6XpaIxS1rAPXJlfWMzMeYhLjYchZzj6ocuxdlh8CKUm2/4v4c:cnvIxAS+MAeYhLjYchZ3rcMl5KUm2/4v

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1384-71-0x0000000000400000-0x0000000000417000-memory.dmp	netwire
behavioral1/memory/1112-90-0x0000000000400000-0x0000000000417000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Laroche.exeLaroche.exe

pid process

1448 Laroche.exe
1112 Laroche.exe

pid	process
1448	Laroche.exe
1112	Laroche.exe

Loads dropped DLL 4 IoCs

Processes:

915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exeLaroche.exe

pid	process
332	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
1384	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
1448	Laroche.exe
1448	Laroche.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Laroche.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Laroche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\DrakkarNoir = "C:\\Users\\Admin\\AppData\\Roaming\\Drakkar\\Laroche.exe"	Laroche.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exeLaroche.exe

description	pid	process	target process
PID 332 set thread context of 1384	332	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
PID 1448 set thread context of 1112	1448	Laroche.exe	Laroche.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Drakkar\Laroche.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\Drakkar\Laroche.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Drakkar\Laroche.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Drakkar\Laroche.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Drakkar\Laroche.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Drakkar\Laroche.exe	nsis_installer_2
\Users\Admin\AppData\Roaming\Drakkar\Laroche.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\Drakkar\Laroche.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Drakkar\Laroche.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Drakkar\Laroche.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exeLaroche.exe

description	pid	process	target process
PID 332 wrote to memory of 1384	332	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
PID 332 wrote to memory of 1384	332	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
PID 332 wrote to memory of 1384	332	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
PID 332 wrote to memory of 1384	332	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
PID 332 wrote to memory of 1384	332	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
PID 332 wrote to memory of 1384	332	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
PID 332 wrote to memory of 1384	332	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
PID 332 wrote to memory of 1384	332	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
PID 332 wrote to memory of 1384	332	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
PID 332 wrote to memory of 1384	332	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
PID 332 wrote to memory of 1384	332	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
PID 332 wrote to memory of 1384	332	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
PID 1384 wrote to memory of 1448	1384	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	Laroche.exe
PID 1384 wrote to memory of 1448	1384	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	Laroche.exe
PID 1384 wrote to memory of 1448	1384	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	Laroche.exe
PID 1384 wrote to memory of 1448	1384	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	Laroche.exe
PID 1384 wrote to memory of 1448	1384	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	Laroche.exe
PID 1384 wrote to memory of 1448	1384	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	Laroche.exe
PID 1384 wrote to memory of 1448	1384	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	Laroche.exe
PID 1448 wrote to memory of 1112	1448	Laroche.exe	Laroche.exe
PID 1448 wrote to memory of 1112	1448	Laroche.exe	Laroche.exe
PID 1448 wrote to memory of 1112	1448	Laroche.exe	Laroche.exe
PID 1448 wrote to memory of 1112	1448	Laroche.exe	Laroche.exe
PID 1448 wrote to memory of 1112	1448	Laroche.exe	Laroche.exe
PID 1448 wrote to memory of 1112	1448	Laroche.exe	Laroche.exe
PID 1448 wrote to memory of 1112	1448	Laroche.exe	Laroche.exe
PID 1448 wrote to memory of 1112	1448	Laroche.exe	Laroche.exe
PID 1448 wrote to memory of 1112	1448	Laroche.exe	Laroche.exe
PID 1448 wrote to memory of 1112	1448	Laroche.exe	Laroche.exe
PID 1448 wrote to memory of 1112	1448	Laroche.exe	Laroche.exe
PID 1448 wrote to memory of 1112	1448	Laroche.exe	Laroche.exe

C:\Users\Admin\AppData\Local\Temp\915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
"C:\Users\Admin\AppData\Local\Temp\915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:332

C:\Users\Admin\AppData\Local\Temp\915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
"C:\Users\Admin\AppData\Local\Temp\915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Roaming\Drakkar\Laroche.exe
"C:\Users\Admin\AppData\Roaming\Drakkar\Laroche.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Roaming\Drakkar\Laroche.exe
"C:\Users\Admin\AppData\Roaming\Drakkar\Laroche.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biographee\paperers.jqw
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Drakkar\Laroche.exe
Filesize
131KB

MD5
57ff9ec083c9603c0251fe55595b8793

SHA1
8c3c7148559706e5523dae28d5852554042129b0

SHA256
915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855

SHA512
63f50958bd0b82057b62a4315fb9309af082ee06992949c4967bafe83407d7fcc7097d8713b2656cc5ae13c6386ec671d2a424f73b03f883d182551cdaf2770f

Download Submit
C:\Users\Admin\AppData\Roaming\Drakkar\Laroche.exe
Filesize
131KB

MD5
57ff9ec083c9603c0251fe55595b8793

SHA1
8c3c7148559706e5523dae28d5852554042129b0

SHA256
915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855

SHA512
63f50958bd0b82057b62a4315fb9309af082ee06992949c4967bafe83407d7fcc7097d8713b2656cc5ae13c6386ec671d2a424f73b03f883d182551cdaf2770f

Download Submit
C:\Users\Admin\AppData\Roaming\Drakkar\Laroche.exe
Filesize
131KB

MD5
57ff9ec083c9603c0251fe55595b8793

SHA1
8c3c7148559706e5523dae28d5852554042129b0

SHA256
915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855

SHA512
63f50958bd0b82057b62a4315fb9309af082ee06992949c4967bafe83407d7fcc7097d8713b2656cc5ae13c6386ec671d2a424f73b03f883d182551cdaf2770f

Download Submit
\Users\Admin\AppData\Local\Temp\nsk8EFA.tmp\paperers.dll
Filesize
56KB

MD5
cba27c45fd90779276f96a717de8a8d0

SHA1
89ac88cc471d5dbf6b9897435dbeeed29df5246f

SHA256
9940a5c28cd07e33b24692df50381acdce80574c5e288293981e7b399b2d1e07

SHA512
534bb3af058e89510aaea6f3ca4955e0d7b6dbaf1694fc3523ddba4a7845b7b461e711250957c9673c91a7b7e2e92450fbf0365bfb50202b357346cb8c102d95

Download Submit
\Users\Admin\AppData\Local\Temp\nsk9ADC.tmp\paperers.dll
Filesize
56KB

MD5
cba27c45fd90779276f96a717de8a8d0

SHA1
89ac88cc471d5dbf6b9897435dbeeed29df5246f

SHA256
9940a5c28cd07e33b24692df50381acdce80574c5e288293981e7b399b2d1e07

SHA512
534bb3af058e89510aaea6f3ca4955e0d7b6dbaf1694fc3523ddba4a7845b7b461e711250957c9673c91a7b7e2e92450fbf0365bfb50202b357346cb8c102d95

Download Submit
\Users\Admin\AppData\Roaming\Drakkar\Laroche.exe
Filesize
131KB

MD5
57ff9ec083c9603c0251fe55595b8793

SHA1
8c3c7148559706e5523dae28d5852554042129b0

SHA256
915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855

SHA512
63f50958bd0b82057b62a4315fb9309af082ee06992949c4967bafe83407d7fcc7097d8713b2656cc5ae13c6386ec671d2a424f73b03f883d182551cdaf2770f

Download Submit
\Users\Admin\AppData\Roaming\Drakkar\Laroche.exe
Filesize
131KB

MD5
57ff9ec083c9603c0251fe55595b8793

SHA1
8c3c7148559706e5523dae28d5852554042129b0

SHA256
915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855

SHA512
63f50958bd0b82057b62a4315fb9309af082ee06992949c4967bafe83407d7fcc7097d8713b2656cc5ae13c6386ec671d2a424f73b03f883d182551cdaf2770f

Download Submit
memory/332-54-0x0000000076931000-0x0000000076933000-memory.dmp

Filesize
8KB

Download
memory/1112-84-0x0000000000401F8F-mapping.dmp

Download
memory/1112-90-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1384-66-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1384-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1384-59-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1384-71-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1384-57-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1384-63-0x0000000000401F8F-mapping.dmp

Download
memory/1384-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1384-56-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1448-69-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads