netwire | 1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795

General

Target

1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
Size

128KB
MD5

66f07d8c367c635e5f6f7583436cd970
SHA1

a6ae5111804cd4cc98f81f23122fdd7deca32c44
SHA256

1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795
SHA512

daa7bdcff96d39042ba09fcbd6ba3b12a4fc0442a12906d48d742e22289f83b980e27a1ed7c5461bd37894e993a44548f5d2c59797ac330d052b617474895bde
SSDEEP

3072:uFr85oUnFtac6koMxv6guvss+PojUyxkjy4B:ir8aafa9BMxyg8J+AjDD4

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4124-134-0x0000000000000000-mapping.dmp	netwire
behavioral2/memory/4124-135-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4124-138-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4124-141-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/1084-145-0x0000000000000000-mapping.dmp	netwire
behavioral2/memory/1084-150-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

4184 Host.exe
1084 Host.exe

pid	process
4184	Host.exe
1084	Host.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exeHost.exe

description	pid	process	target process
PID 2204 set thread context of 4124	2204	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 4184 set thread context of 1084	4184	Host.exe	Host.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exeHost.exe

pid process

2204 1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
4184 Host.exe

pid	process
2204	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
4184	Host.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exeHost.exe

description	pid	process	target process
PID 2204 wrote to memory of 4124	2204	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 2204 wrote to memory of 4124	2204	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 2204 wrote to memory of 4124	2204	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 2204 wrote to memory of 4124	2204	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 2204 wrote to memory of 4124	2204	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 2204 wrote to memory of 4124	2204	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 2204 wrote to memory of 4124	2204	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 2204 wrote to memory of 4124	2204	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 2204 wrote to memory of 4124	2204	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 2204 wrote to memory of 4124	2204	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
PID 4124 wrote to memory of 4184	4124	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	Host.exe
PID 4124 wrote to memory of 4184	4124	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	Host.exe
PID 4124 wrote to memory of 4184	4124	1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe	Host.exe
PID 4184 wrote to memory of 1084	4184	Host.exe	Host.exe
PID 4184 wrote to memory of 1084	4184	Host.exe	Host.exe
PID 4184 wrote to memory of 1084	4184	Host.exe	Host.exe
PID 4184 wrote to memory of 1084	4184	Host.exe	Host.exe
PID 4184 wrote to memory of 1084	4184	Host.exe	Host.exe
PID 4184 wrote to memory of 1084	4184	Host.exe	Host.exe
PID 4184 wrote to memory of 1084	4184	Host.exe	Host.exe
PID 4184 wrote to memory of 1084	4184	Host.exe	Host.exe
PID 4184 wrote to memory of 1084	4184	Host.exe	Host.exe
PID 4184 wrote to memory of 1084	4184	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
"C:\Users\Admin\AppData\Local\Temp\1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Admin\AppData\Local\Temp\1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe
"C:\Users\Admin\AppData\Local\Temp\1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4124

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4184

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
128KB

MD5
66f07d8c367c635e5f6f7583436cd970

SHA1
a6ae5111804cd4cc98f81f23122fdd7deca32c44

SHA256
1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795

SHA512
daa7bdcff96d39042ba09fcbd6ba3b12a4fc0442a12906d48d742e22289f83b980e27a1ed7c5461bd37894e993a44548f5d2c59797ac330d052b617474895bde

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
128KB

MD5
66f07d8c367c635e5f6f7583436cd970

SHA1
a6ae5111804cd4cc98f81f23122fdd7deca32c44

SHA256
1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795

SHA512
daa7bdcff96d39042ba09fcbd6ba3b12a4fc0442a12906d48d742e22289f83b980e27a1ed7c5461bd37894e993a44548f5d2c59797ac330d052b617474895bde

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
128KB

MD5
66f07d8c367c635e5f6f7583436cd970

SHA1
a6ae5111804cd4cc98f81f23122fdd7deca32c44

SHA256
1186674c00552b361cc1f4b2c3d7fae6c23ba68e6a80a3f3b4dbe49cddfd2795

SHA512
daa7bdcff96d39042ba09fcbd6ba3b12a4fc0442a12906d48d742e22289f83b980e27a1ed7c5461bd37894e993a44548f5d2c59797ac330d052b617474895bde

Download Submit
memory/1084-145-0x0000000000000000-mapping.dmp

Download
memory/1084-150-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2204-136-0x0000000000570000-0x0000000000576000-memory.dmp

Filesize
24KB

Download
memory/4124-134-0x0000000000000000-mapping.dmp

Download
memory/4124-135-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4124-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4124-141-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4184-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads