netwire | 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93

General

Target

3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe
Size

141KB
MD5

9f3a2c39b2697ccfb4fbd3a9317c3f8b
SHA1

45af562894d49f33aa15316e3a975d8de13921a8
SHA256

3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93
SHA512

f50efc6d91c1768a740db7e58eacc9d65d5f81fb3ea899c1533a31e3c276ae99f2fafdc9922c697e0c80ebe541bfe0265a492f5b19a9fb2fff60d9c0b4240428
SSDEEP

3072:7Asj8MBX8s0oXJLrJY7+Ne4tgJFvcHWK9BAMprDgkZPU8n20PjK9vNPszT:7AsBZtK7+FtgJFvc2mrDgkZPUw20Pji8

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1120-134-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/1120-136-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/1120-139-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/3248-150-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1048 Host.exe
3248 Host.exe

pid	process
1048	Host.exe
3248	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{233505I0-OB46-7P45-B65Q-0DT1CI742RQJ}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{233505I0-OB46-7P45-B65Q-0DT1CI742RQJ}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Loads dropped DLL 2 IoCs

Processes:

3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exeHost.exe

pid process

4792 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe
1048 Host.exe

pid	process
4792	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe
1048	Host.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exeHost.exe

description	pid	process	target process
PID 4792 set thread context of 1120	4792	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe
PID 1048 set thread context of 3248	1048	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Install\Host.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exeHost.exe

description	pid	process	target process
PID 4792 wrote to memory of 1120	4792	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe
PID 4792 wrote to memory of 1120	4792	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe
PID 4792 wrote to memory of 1120	4792	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe
PID 4792 wrote to memory of 1120	4792	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe
PID 4792 wrote to memory of 1120	4792	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe
PID 4792 wrote to memory of 1120	4792	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe
PID 4792 wrote to memory of 1120	4792	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe
PID 4792 wrote to memory of 1120	4792	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe
PID 4792 wrote to memory of 1120	4792	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe
PID 1120 wrote to memory of 1048	1120	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe	Host.exe
PID 1120 wrote to memory of 1048	1120	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe	Host.exe
PID 1120 wrote to memory of 1048	1120	3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe	Host.exe
PID 1048 wrote to memory of 3248	1048	Host.exe	Host.exe
PID 1048 wrote to memory of 3248	1048	Host.exe	Host.exe
PID 1048 wrote to memory of 3248	1048	Host.exe	Host.exe
PID 1048 wrote to memory of 3248	1048	Host.exe	Host.exe
PID 1048 wrote to memory of 3248	1048	Host.exe	Host.exe
PID 1048 wrote to memory of 3248	1048	Host.exe	Host.exe
PID 1048 wrote to memory of 3248	1048	Host.exe	Host.exe
PID 1048 wrote to memory of 3248	1048	Host.exe	Host.exe
PID 1048 wrote to memory of 3248	1048	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe
"C:\Users\Admin\AppData\Local\Temp\3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4792

C:\Users\Admin\AppData\Local\Temp\3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe
"C:\Users\Admin\AppData\Local\Temp\3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Roaming\Install\Host.exe
-m "C:\Users\Admin\AppData\Local\Temp\3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:3248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsaAE58.tmp\deviances.dll
Filesize
63KB

MD5
c80dd075d9b0fc3f46674169909c0ebf

SHA1
cbb8b6b10a598bd4625a917be7de0868d2c1bd50

SHA256
59e36818923aa15c98738715460ed8928005d27447dad880d7cadaf09ebf576d

SHA512
8c582e8ff3b283769f3a8e254548a6ddf5f424da117633819a0531a457c355f4f8e638a396fbc4150565b2f77ee4ae045a20ad5c039ee9e6f29d8ae89d68faa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaEF0A.tmp\deviances.dll
Filesize
63KB

MD5
c80dd075d9b0fc3f46674169909c0ebf

SHA1
cbb8b6b10a598bd4625a917be7de0868d2c1bd50

SHA256
59e36818923aa15c98738715460ed8928005d27447dad880d7cadaf09ebf576d

SHA512
8c582e8ff3b283769f3a8e254548a6ddf5f424da117633819a0531a457c355f4f8e638a396fbc4150565b2f77ee4ae045a20ad5c039ee9e6f29d8ae89d68faa4

Download Submit
C:\Users\Admin\AppData\Roaming\2gawda1afwfwyt21a
Filesize
263B

MD5
dfae9d9b51e2e0887dae38074186a600

SHA1
89d59bdbf68eddaf5f8facc82b1ebf8ee3992b15

SHA256
aa2d43f866891e70424fad9d68e26868abe3f57b613b0dbaa7d73a4cdf56e2aa

SHA512
6d7b345efe037f6c7cc64ce5e3b1a4b5d34601501761b5a29c221cdeeba5932e64252884bf16cae33aedd1601297c9f9d93cc96fc7ea625345b39c9d81ad6e50

Download Submit
C:\Users\Admin\AppData\Roaming\HALF_BAKED[1998]DVDRIP.AVI.avi
Filesize
84KB

MD5
073a02afc81db5e60af9e7eb5cb158c7

SHA1
61a1e4f257ddfd428adb6d6e68c5266c2484a5ca

SHA256
82a64a71c77cfa8b71285a122c873b0374e835d67c06cf8527ef288f6b8936ce

SHA512
c77dd672c6063ca5ee33b7c3709b5ba0204bc789e89f2fbbe069710664cbe12742f54ca39f81f1ce1622f0fd9b0a795bfe6149995f1e6d18ba1258e4d72e2726

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
141KB

MD5
9f3a2c39b2697ccfb4fbd3a9317c3f8b

SHA1
45af562894d49f33aa15316e3a975d8de13921a8

SHA256
3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93

SHA512
f50efc6d91c1768a740db7e58eacc9d65d5f81fb3ea899c1533a31e3c276ae99f2fafdc9922c697e0c80ebe541bfe0265a492f5b19a9fb2fff60d9c0b4240428

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
141KB

MD5
9f3a2c39b2697ccfb4fbd3a9317c3f8b

SHA1
45af562894d49f33aa15316e3a975d8de13921a8

SHA256
3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93

SHA512
f50efc6d91c1768a740db7e58eacc9d65d5f81fb3ea899c1533a31e3c276ae99f2fafdc9922c697e0c80ebe541bfe0265a492f5b19a9fb2fff60d9c0b4240428

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
141KB

MD5
9f3a2c39b2697ccfb4fbd3a9317c3f8b

SHA1
45af562894d49f33aa15316e3a975d8de13921a8

SHA256
3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93

SHA512
f50efc6d91c1768a740db7e58eacc9d65d5f81fb3ea899c1533a31e3c276ae99f2fafdc9922c697e0c80ebe541bfe0265a492f5b19a9fb2fff60d9c0b4240428

Download Submit
C:\Users\Admin\AppData\Roaming\KYdrxQ9SE2UvHWh-eofJq0DG9kwYbrV-9wmXESoHMLtaGOi-JE8MpifY97Avm3V.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1048-137-0x0000000000000000-mapping.dmp

Download
memory/1120-136-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1120-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1120-134-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1120-133-0x0000000000000000-mapping.dmp

Download
memory/3248-145-0x0000000000000000-mapping.dmp

Download
memory/3248-150-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads