netwire | 1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795

General

Target

1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
Size

128KB
MD5

66f07d8c367c635e5f6f7583436cd970
SHA1

a6ae5111804cd4cc98f81f23122fdd7deca32c44
SHA256

1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795
SHA512

daa7bdcff96d39042ba09fcbd6ba3b12a4fc0442a12906d48d742e22289f83b980e27a1ed7c5461bd37894e993a44548f5d2c59797ac330d052b617474895bde
SSDEEP

3072:uFr85oUnFtac6koMxv6guvss+PojUyxkjy4B:ir8aafa9BMxyg8J+AjDD4

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/900-57-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/900-58-0x0000000000402196-mapping.dmp	netwire
behavioral1/memory/900-62-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/900-67-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/432-73-0x0000000000402196-mapping.dmp	netwire
behavioral1/memory/432-78-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Host.exe

pid process

1032 Host.exe

pid	process
1032	Host.exe

Loads dropped DLL 3 IoCs

Processes:

1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exeHost.exe

pid	process
900	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
900	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
432	Host.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exeHost.exe

description	pid	process	target process
PID 996 set thread context of 900	996	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 1032 set thread context of 432	1032	Host.exe	Host.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exeHost.exe

pid process

996 1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
1032 Host.exe

pid	process
996	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
1032	Host.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exeHost.exe

description	pid	process	target process
PID 996 wrote to memory of 900	996	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 996 wrote to memory of 900	996	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 996 wrote to memory of 900	996	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 996 wrote to memory of 900	996	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 996 wrote to memory of 900	996	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 996 wrote to memory of 900	996	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 996 wrote to memory of 900	996	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 996 wrote to memory of 900	996	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 996 wrote to memory of 900	996	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 996 wrote to memory of 900	996	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 996 wrote to memory of 900	996	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 900 wrote to memory of 1032	900	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	Host.exe
PID 900 wrote to memory of 1032	900	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	Host.exe
PID 900 wrote to memory of 1032	900	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	Host.exe
PID 900 wrote to memory of 1032	900	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	Host.exe
PID 1032 wrote to memory of 432	1032	Host.exe	Host.exe
PID 1032 wrote to memory of 432	1032	Host.exe	Host.exe
PID 1032 wrote to memory of 432	1032	Host.exe	Host.exe
PID 1032 wrote to memory of 432	1032	Host.exe	Host.exe
PID 1032 wrote to memory of 432	1032	Host.exe	Host.exe
PID 1032 wrote to memory of 432	1032	Host.exe	Host.exe
PID 1032 wrote to memory of 432	1032	Host.exe	Host.exe
PID 1032 wrote to memory of 432	1032	Host.exe	Host.exe
PID 1032 wrote to memory of 432	1032	Host.exe	Host.exe
PID 1032 wrote to memory of 432	1032	Host.exe	Host.exe
PID 1032 wrote to memory of 432	1032	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
"C:\Users\Admin\AppData\Local\Temp\1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996

C:\Users\Admin\AppData\Local\Temp\1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
"C:\Users\Admin\AppData\Local\Temp\1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Loads dropped DLL
- Adds Run key to start application
PID:432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
128KB

MD5
66f07d8c367c635e5f6f7583436cd970

SHA1
a6ae5111804cd4cc98f81f23122fdd7deca32c44

SHA256
1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795

SHA512
daa7bdcff96d39042ba09fcbd6ba3b12a4fc0442a12906d48d742e22289f83b980e27a1ed7c5461bd37894e993a44548f5d2c59797ac330d052b617474895bde

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
128KB

MD5
66f07d8c367c635e5f6f7583436cd970

SHA1
a6ae5111804cd4cc98f81f23122fdd7deca32c44

SHA256
1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795

SHA512
daa7bdcff96d39042ba09fcbd6ba3b12a4fc0442a12906d48d742e22289f83b980e27a1ed7c5461bd37894e993a44548f5d2c59797ac330d052b617474895bde

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
128KB

MD5
66f07d8c367c635e5f6f7583436cd970

SHA1
a6ae5111804cd4cc98f81f23122fdd7deca32c44

SHA256
1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795

SHA512
daa7bdcff96d39042ba09fcbd6ba3b12a4fc0442a12906d48d742e22289f83b980e27a1ed7c5461bd37894e993a44548f5d2c59797ac330d052b617474895bde

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
128KB

MD5
66f07d8c367c635e5f6f7583436cd970

SHA1
a6ae5111804cd4cc98f81f23122fdd7deca32c44

SHA256
1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795

SHA512
daa7bdcff96d39042ba09fcbd6ba3b12a4fc0442a12906d48d742e22289f83b980e27a1ed7c5461bd37894e993a44548f5d2c59797ac330d052b617474895bde

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
128KB

MD5
66f07d8c367c635e5f6f7583436cd970

SHA1
a6ae5111804cd4cc98f81f23122fdd7deca32c44

SHA256
1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795

SHA512
daa7bdcff96d39042ba09fcbd6ba3b12a4fc0442a12906d48d742e22289f83b980e27a1ed7c5461bd37894e993a44548f5d2c59797ac330d052b617474895bde

Download Submit
memory/432-73-0x0000000000402196-mapping.dmp

Download
memory/432-78-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/900-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/900-67-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/900-58-0x0000000000402196-mapping.dmp

Download
memory/900-57-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/996-59-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/996-56-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/1032-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads