netwire | fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53

General

Target

fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe
Size

105KB
MD5

e11591310952d9c6eeeaf88ff19432b2
SHA1

71bd602670f33e1f0573c6bbd15ead0992e4973f
SHA256

fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53
SHA512

e8ff1f1766d49736549a5792a613f4e9776de534c2eca1e172de29af3a94a407d568020ece86e6f6d2381c47ea23b0e3e025e1a84f4a2c651c171fb240ec9b07
SSDEEP

3072:gM1BjoYNXoKDIJBXJPLW1D9DOgDqK2VRNbA/6A/d:gMMYNXqBBCN9DOgOK2VzbVA/d

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4500-134-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4500-136-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4500-139-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2288-148-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1480 Host.exe
2288 Host.exe

pid	process
1480	Host.exe
2288	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32W2EMSA-D3P0-G0V7-PP47-3T5XRLUK6562}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32W2EMSA-D3P0-G0V7-PP47-3T5XRLUK6562}	Host.exe

Loads dropped DLL 2 IoCs

Processes:

fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exeHost.exe

pid process

2836 fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe
1480 Host.exe

pid	process
2836	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe
1480	Host.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exeHost.exe

description	pid	process	target process
PID 2836 set thread context of 4500	2836	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe
PID 1480 set thread context of 2288	1480	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exefc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exeHost.exe

description	pid	process	target process
PID 2836 wrote to memory of 4500	2836	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe
PID 2836 wrote to memory of 4500	2836	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe
PID 2836 wrote to memory of 4500	2836	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe
PID 2836 wrote to memory of 4500	2836	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe
PID 2836 wrote to memory of 4500	2836	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe
PID 2836 wrote to memory of 4500	2836	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe
PID 2836 wrote to memory of 4500	2836	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe
PID 2836 wrote to memory of 4500	2836	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe
PID 2836 wrote to memory of 4500	2836	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe
PID 4500 wrote to memory of 1480	4500	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe	Host.exe
PID 4500 wrote to memory of 1480	4500	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe	Host.exe
PID 4500 wrote to memory of 1480	4500	fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe	Host.exe
PID 1480 wrote to memory of 2288	1480	Host.exe	Host.exe
PID 1480 wrote to memory of 2288	1480	Host.exe	Host.exe
PID 1480 wrote to memory of 2288	1480	Host.exe	Host.exe
PID 1480 wrote to memory of 2288	1480	Host.exe	Host.exe
PID 1480 wrote to memory of 2288	1480	Host.exe	Host.exe
PID 1480 wrote to memory of 2288	1480	Host.exe	Host.exe
PID 1480 wrote to memory of 2288	1480	Host.exe	Host.exe
PID 1480 wrote to memory of 2288	1480	Host.exe	Host.exe
PID 1480 wrote to memory of 2288	1480	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe
"C:\Users\Admin\AppData\Local\Temp\fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\Temp\fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe
"C:\Users\Admin\AppData\Local\Temp\fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4500

C:\Users\Admin\AppData\Roaming\Install\Host.exe
-m "C:\Users\Admin\AppData\Local\Temp\fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nskBC22.tmp\acosmists.dll
Filesize
44KB

MD5
556cc3600c86ea1383f036fbc13b617d

SHA1
cf5c93b117321411c2ba16b24a29f940cf01926c

SHA256
58f18a822473ff36370b7a0991304a413010819b7c1881c5b637e8747aff86b3

SHA512
0380629798e50628139ab040622be41af252e57fad1510b2bce61eadcf66743bced2c1e15f49dcef7c296f4a00c9a67c97926c94e2e127767df2f4de9f21f71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC4AD.tmp\acosmists.dll
Filesize
44KB

MD5
556cc3600c86ea1383f036fbc13b617d

SHA1
cf5c93b117321411c2ba16b24a29f940cf01926c

SHA256
58f18a822473ff36370b7a0991304a413010819b7c1881c5b637e8747aff86b3

SHA512
0380629798e50628139ab040622be41af252e57fad1510b2bce61eadcf66743bced2c1e15f49dcef7c296f4a00c9a67c97926c94e2e127767df2f4de9f21f71b

Download Submit
C:\Users\Admin\AppData\Roaming\DISK2.DSK
Filesize
81KB

MD5
3d144aebb15820aa8af4033c00a419a6

SHA1
6c82768036cbbba492af14d6fab5a7a675ee1d6e

SHA256
5e85e55ade3b763209938fbb34c1fbd16007737428ac51891745f35bd80fc09a

SHA512
74aaa5db6dd80f02c816aec70d90b1f9bf9c5af8000adec8676fb8f92216754132ba0b2fdca61366a06d6b7bb57833017c924bf6d87feda4a648ff78e2dd1972

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
105KB

MD5
e11591310952d9c6eeeaf88ff19432b2

SHA1
71bd602670f33e1f0573c6bbd15ead0992e4973f

SHA256
fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53

SHA512
e8ff1f1766d49736549a5792a613f4e9776de534c2eca1e172de29af3a94a407d568020ece86e6f6d2381c47ea23b0e3e025e1a84f4a2c651c171fb240ec9b07

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
105KB

MD5
e11591310952d9c6eeeaf88ff19432b2

SHA1
71bd602670f33e1f0573c6bbd15ead0992e4973f

SHA256
fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53

SHA512
e8ff1f1766d49736549a5792a613f4e9776de534c2eca1e172de29af3a94a407d568020ece86e6f6d2381c47ea23b0e3e025e1a84f4a2c651c171fb240ec9b07

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
105KB

MD5
e11591310952d9c6eeeaf88ff19432b2

SHA1
71bd602670f33e1f0573c6bbd15ead0992e4973f

SHA256
fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53

SHA512
e8ff1f1766d49736549a5792a613f4e9776de534c2eca1e172de29af3a94a407d568020ece86e6f6d2381c47ea23b0e3e025e1a84f4a2c651c171fb240ec9b07

Download Submit
memory/1480-137-0x0000000000000000-mapping.dmp

Download
memory/2288-148-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2288-143-0x0000000000000000-mapping.dmp

Download
memory/4500-136-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4500-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4500-134-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4500-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads